ipfw - accessing DMZ from LAN

[Marek Salwerowicz]

W dniu 2011-09-29 23:07, Marek Salwerowicz pisze:
> So eg. the rules specifying traffic between DMZ Host and LAN could be 
> the first, and then rules for "generic" DMZ host traffic (allowing DMZ 
> access to the Internet)?
> So far I made like this (first DMZ-LAN, then DMZ), but I have some 
> problem:
>
> ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF
> ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF
>
> ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit 
> $PUBLICIF
> ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF
>
> ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv 
> $PUBLICIF
> ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF
>
> ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit 
> $DMZIF
> ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF
>
> The DMZ host has access to Internet (and is visible as public IP 
> dedicated for that host, so it's what I wanted), but when I connect 
> from the Internet to DMZ host (eg. ssh), I see that the connection 
> comes from itself (DMZ host public IP), instead of real public IP 
> address.
> I think that I've overNATed something.
>
I've answered myself:
<removed rule 200>
ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF

ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit 
$PUBLICIF
ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF

ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv 
$PUBLICIF
ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF

<removed rule 230>
ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF

So I just removed rules responsible for NAT at $DMZIF and left only NAT 
at $PUBLICIF.

But now there is next problem - when I try to ping /ssh from router to 
$DMZPUBLICIP, I connect to myself, instead of DMZ host..