Re: IPFW/NATD Transparent Proxy
mailist_at_whoweb.com
Date: 08/09/04
- Previous message: horio shoichi: "Re: Help Debugging Kshell Script???"
- In reply to: JJB: "RE: IPFW/NATD Transparent Proxy"
- Next in thread: Eric Crist: "RE: IPFW/NATD Transparent Proxy"
- Reply: Eric Crist: "RE: IPFW/NATD Transparent Proxy"
- Reply: Pat Lashley: "Re: IPFW/NATD Transparent Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-questions@freebsd.org> Date: Sun, 8 Aug 2004 18:43:21 -0400
On Sunday 08 August 2004 04:38 pm, JJB wrote:
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from www.a1poweruser.com/FBSD_firewall/
The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.
> From what you posted looks like you want public internet users to
> access web server on one of your LAN machines. Both ipfw and
> ipfilter does this normally with port redirect.
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD
internet gateway. Again, the configuration is
de0 = PUBLIC IP = 1.2.3.4
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet
being redirected to 192.168.2.250. That works fine. But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 1.2.3.4:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall. It has
a public interface with an IP number of 1.2.3.4 and is assigned the DNS name
www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD. This works fine. But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
> You need to post
> more info about your system config.
> Post the full contents of your rc.conf and firewall rules files.
My rc.conf file is properly configured and has no bearing on my question. My
gateway works fine from public to private IP space and private to public IP
space. I've tried so many combination of rules and NATD options that I
wouldn't know what to post. What I need is someone who has completed a
similar configuration to send me their configuration (change the IP numbers
if you like). From what I can see, I don't believe this is possible with
stateful rules. Let me add that I've been successful with stateless rules,
but I'd like to use 100% stateful if possible.
>
> The limit you write about ipfilter is not true.
>
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of
> mailist@whoweb.com
> Sent: Sunday, August 08, 2004 2:11 PM
> To: freebsd-questions@freebsd.org
> Subject: IPFW/NATD Transparent Proxy
>
>
> Anyone up for a challenge?
>
> I've come to the conclusion that IPFW/NATD cannot support
> transparent
> proxying with ONLY stateful rules. I'd like to hear from anyone who
> has
> been successful doing so in case I'm missing something.
>
> Configuration is:
> FreeBSD 5.2.1
> 3 - NICS (de0, de1, de2)
> de1 = Public IP = 1.2.3.4
> de2 = LAN1 = 192.168.1.0
> de3 = LAN2 = 192.168.2.0
>
> The challenge:
> 1) TCP request from 192.168.1.247 to 1.2.3.4:80
> 2) Redirect 1.2.3.4:80 to 192.168.2.250:80
> 3) Use stateful rules
>
> On another note, I read somewhere on the Internet that IPFILTER has
> a
> limitation in that it cannot redirect a public destination to a
> private
> destination if the source machine is on the same subnet as the
> redirected
> destination. In other words, the following supposedly will not
> work:
> 1) A tcp request from 192.168.1.247 to 1.2.3.4:80
> 2) Redirect 1.2.3.4:80 to 192.168.1.100:80
>
> Is this an accurate limitation of IPFILTER?
>
>
>
> J
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: horio shoichi: "Re: Help Debugging Kshell Script???"
- In reply to: JJB: "RE: IPFW/NATD Transparent Proxy"
- Next in thread: Eric Crist: "RE: IPFW/NATD Transparent Proxy"
- Reply: Eric Crist: "RE: IPFW/NATD Transparent Proxy"
- Reply: Pat Lashley: "Re: IPFW/NATD Transparent Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
