ipfw / natd does not allow lan traffic to reach external
stacey at vickiandstacey.com
Sun Aug 10 14:57:27 PDT 2003
On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote:
> I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here
> a list with some details:
> *) The FreeBSD box uses natd and ipfw, and have two external IP:s,
> lets say aaa.bbb.ccc.20 and ddd.eee.fff.21.
> *) natd is used to redirect access to external IP addresses and ports
> to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21,
> where for example webservers are located.
> *) natd rules:
> natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20
> -redirect_port tcp 192.168.0.21:25-52 25-52
> -redirect_port udp 192.168.0.21:25-52 25-52
> -redirect_port tcp 192.168.0.30:80 80
> -redirect_port udp 192.168.0.30:80 80
> -redirect_port tcp 192.168.0.21:54-79 54-79
> -redirect_port udp 192.168.0.21:54-79 54-79
> -redirect_port tcp 192.168.0.21:81-722 81-722
> -redirect_port udp 192.168.0.21:81-722 81-722
> -redirect_port tcp 192.168.0.21:3306-4559 3306-4559
> -redirect_port udp 192.168.0.21:3306-4559 3306-4559"
> *) ipfw lets things through:
> 00050 divert 8668 ip from any to any via fxp0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow ip from any to any
> 65535 allow ip from any to any
> Most things works just fine, external access are redirected to
> correct ports, and the webservers work just fine. BUT the problem
> comes when a box on the LAN tries to reach a site residing on
> 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get
> error: "Unable to connect to remote host". Connecting from a LAN
> machine to the same site using the _internal_ IP works fine.
> Connecting to other external IPs also works fine.
> I want to be able to connect from LAN boxes to the external IP:s, for
> example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very
> thankful for all comments on this matter.
This is not possible. You have to use another host external to your
local network in order to access / view services via their respective
public IP's, or continue to access them via their defined RFC1918
One another note, if access via public IP isn't a strict requirement,
there is the "views" functionality in Bind9 that (once set up properly)
would allow you to access, say hosted websites, via their WWW addresses
from internal hosts ..,
> Smartnet Sverige AB
> Johannes Angeldorff
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
B.Sc (HONS) Computer Science
More information about the freebsd-questions