W dniu 2011-08-10 16:22, Freddie Cash pisze:
The more correct method is to double-NAT the traffic, such
that the LAN
clients connect to public IPs, and the DMZ servers see
connections from
public IPs. It's more complicated to wrap your head around
the first time,
but it prevents private IPs from "leaking" between the LAN,
the Internet,
and the DMZ. (It took me 10 years of using IPFW to figure
this one out.)
# Configure the general natd process for the LAN
natd -port $port2 -same_ports -use_sockets -alias_address
x.x.x.171
# Configure the natd process to NAT from x.x.x.170 to
192.168.0.10 using
some port
natd -port $port1 -same_ports -use_sockets -alias_address
x.x.x.170
-redirect_address x.x.x.170 192.168.0.10
# NAT the traffic coming from the LAN to x.x.x.170
ipfw add divert $port1 ip from $LAN to x.x.x.170 in recv vr0
ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0
# NAT the traffic going to x.x.x.170 from the LAN
ipfw add divert $port2 ip from $LAN to 192.168.0.10 out xmit vr2
ipfw add allow ip from x.x.x.171 to 192.168.0.10 out xmit vr2
# NAT the traffic coming from x.x.x.170 to the LAN
ipfw add divert $port1 ip from 192.168.0.10 to x.x.x.171 in
recv vr2
ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2
# NAT the traffic going to the LAN from x.x.x.170
ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0
ipfw add allow ip from x.x.x.170 t0 $LAN out xmit vr0
The general flow of the rules above is (src --> dest)
10.0.0.x --> x.x.x.170
10.0.0.x --> 192.168.0.10 (after first NAT)
x.x.x.171 --> 192.168.0.10 (after second NAT)
192.168.0.10 --> x.x.x.171
192.168.0.10 --> 10.0.0.x (after first NAT)
x.x.x.170 --> 10.0.0.x (after second NAT)
Notice how vr3 is never used in any of the rules above, as the
packets never
touch the public interface of the router.
Hi,
I set up firewall like this:
$cmd flush
##LAN1 --> PUBLIC
$cmd add divert $NATLANPORT ip from $LAN1 to $MYPUBLICIP via $PUBLICIF
$cmd add allow ip from $LAN1 to $MYPUBLICIP via $PUBLICIF
#NAT for LAN1
natd -port $NATLANPORT -same_ports -use_sockets -alias_address $MYPUBLICIP
#NAT for DMZHOST1
natd -port $DMZHOST1PORT -same_ports -use_sockets -alias_address
$DMZHOST1PUBLIC -redirect_address $DMZHOST1PUBLIC $DMZHOST1PRIVATE
##LAN1 --> DMZHOST1
#Traffic from LAN1 to DMZHOST1 - coming from LAN1
$cmd add divert $NATLANPORT ip from $LAN1 to $DMZHOST1PUBLIC in recv $LAN1IF
$cmd add allow ip from $LAN1 to $DMZHOST1PRIVATE in recv $LAN1IF
#Traffic to DMZHOST1 from LAN1 - going to DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $LAN1 to $DMZHOST1PRIVATE out xmit
$DMZIF
$cmd add allow ip from $DMZHOST1PUBLIC to $DMZHOST1PRIVATE out xmit $DMZIF
##DMZHOST1 --> LAN1
#Traffic from DMZHOST1 to LAN1 - coming from DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $DMZHOST1PRIVATE to
$DMZHOST1PUBLIC in recv $DMZIF
$cmd add allow ip from $DMZHOST1PRIVATE to $LAN1 in recv $DMZIF
#Traffic to LAN1 from DMZHOST1 - going to LAN1
$cmd add divert $NATLANPORT ip from $DMZHOST1PRIVATE to $LAN1 out xmit
$LAN1IF
$cmd add allow ip from $DMZHOST1PUBLIC to $LAN1 out xmit $LAN1IF
$cmd add allow ip from any to me
$cmd add allow ip from me to any
$cmd add deny ip from any to any
But in fact it doesn't work - I am not able to connect to DMZ HOST1
public IP from LAN1. When I try to connect, I connect to router, not the
DMZ HOST 1
In rc.conf I have only:
natd_enable="YES"
natd_interface="em0"
em0 is my interface connected to public ISP
DMZ HOST1 Public IP is set as an alias for em0
Can you have a look at my issue?
Regards,
--
Marek Salwerowicz
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
