ipfw - accessing DMZ from LAN
Marek Salwerowicz
marek_sal at wp.pl
Thu Sep 22 14:51:10 UTC 2011
W dniu 2011-08-10 16:22, Freddie Cash pisze:
>
> The more correct method is to double-NAT the traffic, such
> that the LAN
> clients connect to public IPs, and the DMZ servers see
> connections from
> public IPs. It's more complicated to wrap your head around
> the first time,
> but it prevents private IPs from "leaking" between the LAN,
> the Internet,
> and the DMZ. (It took me 10 years of using IPFW to figure
> this one out.)
>
> # Configure the general natd process for the LAN
> natd -port $port2 -same_ports -use_sockets -alias_address
> x.x.x.171
>
> # Configure the natd process to NAT from x.x.x.170 to
> 192.168.0.10 using
> some port
> natd -port $port1 -same_ports -use_sockets -alias_address
> x.x.x.170
> -redirect_address x.x.x.170 192.168.0.10
>
> # NAT the traffic coming from the LAN to x.x.x.170
> ipfw add divert $port1 ip from $LAN to x.x.x.170 in recv vr0
> ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0
>
> # NAT the traffic going to x.x.x.170 from the LAN
> ipfw add divert $port2 ip from $LAN to 192.168.0.10 out xmit vr2
> ipfw add allow ip from x.x.x.171 to 192.168.0.10 out xmit vr2
>
> # NAT the traffic coming from x.x.x.170 to the LAN
> ipfw add divert $port1 ip from 192.168.0.10 to x.x.x.171 in
> recv vr2
> ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2
>
> # NAT the traffic going to the LAN from x.x.x.170
> ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0
> ipfw add allow ip from x.x.x.170 t0 $LAN out xmit vr0
>
> The general flow of the rules above is (src --> dest)
> 10.0.0.x --> x.x.x.170
> 10.0.0.x --> 192.168.0.10 (after first NAT)
> x.x.x.171 --> 192.168.0.10 (after second NAT)
>
> 192.168.0.10 --> x.x.x.171
> 192.168.0.10 --> 10.0.0.x (after first NAT)
> x.x.x.170 --> 10.0.0.x (after second NAT)
>
> Notice how vr3 is never used in any of the rules above, as the
> packets never
> touch the public interface of the router.
>
>
Hi,
I set up firewall like this:
$cmd flush
##LAN1 --> PUBLIC
$cmd add divert $NATLANPORT ip from $LAN1 to $MYPUBLICIP via $PUBLICIF
$cmd add allow ip from $LAN1 to $MYPUBLICIP via $PUBLICIF
#NAT for LAN1
natd -port $NATLANPORT -same_ports -use_sockets -alias_address $MYPUBLICIP
#NAT for DMZHOST1
natd -port $DMZHOST1PORT -same_ports -use_sockets -alias_address
$DMZHOST1PUBLIC -redirect_address $DMZHOST1PUBLIC $DMZHOST1PRIVATE
##LAN1 --> DMZHOST1
#Traffic from LAN1 to DMZHOST1 - coming from LAN1
$cmd add divert $NATLANPORT ip from $LAN1 to $DMZHOST1PUBLIC in recv $LAN1IF
$cmd add allow ip from $LAN1 to $DMZHOST1PRIVATE in recv $LAN1IF
#Traffic to DMZHOST1 from LAN1 - going to DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $LAN1 to $DMZHOST1PRIVATE out xmit
$DMZIF
$cmd add allow ip from $DMZHOST1PUBLIC to $DMZHOST1PRIVATE out xmit $DMZIF
##DMZHOST1 --> LAN1
#Traffic from DMZHOST1 to LAN1 - coming from DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $DMZHOST1PRIVATE to
$DMZHOST1PUBLIC in recv $DMZIF
$cmd add allow ip from $DMZHOST1PRIVATE to $LAN1 in recv $DMZIF
#Traffic to LAN1 from DMZHOST1 - going to LAN1
$cmd add divert $NATLANPORT ip from $DMZHOST1PRIVATE to $LAN1 out xmit
$LAN1IF
$cmd add allow ip from $DMZHOST1PUBLIC to $LAN1 out xmit $LAN1IF
$cmd add allow ip from any to me
$cmd add allow ip from me to any
$cmd add deny ip from any to any
But in fact it doesn't work - I am not able to connect to DMZ HOST1
public IP from LAN1. When I try to connect, I connect to router, not the
DMZ HOST 1
In rc.conf I have only:
natd_enable="YES"
natd_interface="em0"
em0 is my interface connected to public ISP
DMZ HOST1 Public IP is set as an alias for em0
Can you have a look at my issue?
Regards,
--
Marek Salwerowicz
More information about the freebsd-net
mailing list