IPFW/NATD Transparent Proxy
mailist at whoweb.com
mailist at whoweb.com
Sun Aug 8 20:27:15 PDT 2004
de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com)
de1 = 192.168.1.1
de2 = 192.168.2.1
When 192.168.1.247 requests a web page from MYDOMAIN.COM
the request needs to be forwarded to 192.168.2.250:80
In the ruleset below, 15100 is required for this to work. If I pull out
15100 I get no response from the web page because there is no rule to allow
1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not
require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In
other words, I can't find a set of rules that allows dynamic setup of
192.168.1.247:???? <-> 1.2.3.4:80
192.168.1.247:???? <-> 192.168.2.250:80
I hope this information helps. Thanks in advance for pointing me in the right
direction.
IPFW RULES
==================================
00100 divert 9000 log ip from any to any
00200 allow log ip from any to any out via de0 keep-state
00300 skipto 15000 log ip from any to any via de1
00400 skipto 20000 log ip from any to any via de2
00500 deny log ip from any to any
15000 allow log ip from any to any in via de1 keep-state
15100 allow log ip from any to any out via de1
15200 deny log ip from any to any
20000 allow log ip from any to any in via de2 keep-state
20100 allow log ip from any to any dst-port 80 out via de2 keep-state
20200 deny log ip from any to any
20300 deny log ip from any to any
NATD Config File (/etc/natd.conf)
redirect_port tcp 192.168.2.250:80 1.2.3.4:80
NATD Command
/sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf
On Sunday 08 August 2004 06:30 pm, Eric Crist wrote:
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of
> > mailist at whoweb.com
> > Sent: Sunday, August 08, 2004 5:43 PM
> > To: freebsd-questions at freebsd.org
> > Subject: Re: IPFW/NATD Transparent Proxy
> >
> > On Sunday 08 August 2004 04:38 pm, JJB wrote:
> > > A new rewrite of the FreeBSD handbook firewall section is currently
> > > being made ready for update to the handbook. You can get an
> >
> > in-process
> >
> > > copy from www.a1poweruser.com/FBSD_firewall/
> >
> > The firewall rewrite only deals with a single public nic and
> > a single internal nic and does not have the information I require.
> >
> > > From what you posted looks like you want public internet users to
> > > access web server on one of your LAN machines. Both ipfw
> >
> > and ipfilter
> >
> > > does this normally with port redirect.
> >
> > No, I want a user on 192.168.1.247 to be redirected to
> > 192.168.2.250:80 when
> > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number
> > on the FreeBSD
> > internet gateway. Again, the configuration is
> > de0 = PUBLIC IP = 1.2.3.4
> > de1 = 192.168.1.1
> > de2 = 192.168.2.1
> >
> > I don't have a problem with incoming requests for 1.2.3.4:80
> > from the Internet
> > being redirected to 192.168.2.250. That works fine. But I
> > want someone on
> > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when
> > they request the
> > public address 1.2.3.4:80.
>
> Could you send us (or me, peronally) your firewall script, and the
> address you want to use?
>
> Thanks.
>
> Eric F Crist
More information about the freebsd-questions
mailing list