ipfw / natd does not allow lan traffic to reach external numbers
johannes2 at smartnet.se
Sun Aug 10 14:39:09 PDT 2003
I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here
a list with some details:
*) The FreeBSD box uses natd and ipfw, and have two external IP:s,
lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
*) natd is used to redirect access to external IP addresses and ports
to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21,
where for example webservers are located.
*) natd rules:
natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20
-redirect_port tcp 192.168.0.21:25-52 25-52
-redirect_port udp 192.168.0.21:25-52 25-52
-redirect_port tcp 192.168.0.30:80 80
-redirect_port udp 192.168.0.30:80 80
-redirect_port tcp 192.168.0.21:54-79 54-79
-redirect_port udp 192.168.0.21:54-79 54-79
-redirect_port tcp 192.168.0.21:81-722 81-722
-redirect_port udp 192.168.0.21:81-722 81-722
-redirect_port tcp 192.168.0.21:3306-4559 3306-4559
-redirect_port udp 192.168.0.21:3306-4559 3306-4559"
*) ipfw lets things through:
00050 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any
Most things works just fine, external access are redirected to
correct ports, and the webservers work just fine. BUT the problem
comes when a box on the LAN tries to reach a site residing on
192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get
error: "Unable to connect to remote host". Connecting from a LAN
machine to the same site using the _internal_ IP works fine.
Connecting to other external IPs also works fine.
I want to be able to connect from LAN boxes to the external IP:s, for
example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very
thankful for all comments on this matter.
Smartnet Sverige AB
More information about the freebsd-questions