ipfw / natd does not allow lan traffic to reach external numbers

Stacey Roberts stacey at vickiandstacey.com
Sun Aug 10 14:57:27 PDT 2003


On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote:
> Hi,
> I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here 
> a list with some details:
> *) The FreeBSD box uses natd and ipfw, and have two external IP:s, 
> lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
> *) natd is used to redirect access to external IP addresses and ports 
> to internal LAN IP:s, for example and, 
> where for example webservers are located.
> *) natd rules:
> natd_flags="-redirect_address aaa.bbb.ccc.20
> -redirect_port tcp 25-52
> -redirect_port udp 25-52
> -redirect_port tcp 80
> -redirect_port udp 80
> -redirect_port tcp 54-79
> -redirect_port udp 54-79
> -redirect_port tcp 81-722
> -redirect_port udp 81-722
> -redirect_port tcp 3306-4559
> -redirect_port udp 3306-4559"
> *) ipfw lets things through:
> 00050 divert 8668 ip from any to any via fxp0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to
> 00300 deny ip from to any
> 65000 allow ip from any to any
> 65535 allow ip from any to any
> Problem:
> Most things works just fine, external access are redirected to 
> correct ports, and the webservers work just fine. BUT the problem 
> comes when a box on the LAN tries to reach a site residing on 
> using the _external_ IP aaa.bbb.ccc.20. Then I get 
> error: "Unable to connect to remote host". Connecting from a LAN 
> machine to the same site using the _internal_ IP works fine. 
> Connecting to other external IPs also works fine.
> I want to be able to connect from LAN boxes to the external IP:s, for 
> example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very 
> thankful for all comments on this matter.

This is not possible. You have to use another host external to your
local network in order to access / view services via their respective
public IP's, or continue to  access them via their defined RFC1918

One another note, if access via public IP isn't a strict requirement,
there is the "views" functionality in Bind9 that (once set up properly)
would allow you to access, say hosted websites, via their WWW addresses
from internal hosts ..,



> Regards,
> Smartnet Sverige AB
> Johannes Angeldorff
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com

More information about the freebsd-questions mailing list