IPFW/NATD Transparent Proxy

JJB Barbish3 at adelphia.net
Sun Aug 8 13:38:45 PDT 2004 

A new rewrite of the FreeBSD handbook firewall section is currently
being made ready for update to the handbook. You can get an
in-process copy from  www.a1poweruser.com/FBSD_firewall/




>From what you posted looks like you want public internet users to
access web server on one of your LAN machines. Both ipfw and
ipfilter does this normally with port redirect. You need to post
more info about your system config.
Post the full contents of your rc.conf and  firewall rules files.

The limit you write about ipfilter is not true.

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
mailist at whoweb.com
Sent: Sunday, August 08, 2004 2:11 PM
To: freebsd-questions at freebsd.org
Subject: IPFW/NATD Transparent Proxy


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support
transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who
has
been successful doing so in case I'm missing something.

Configuration is:
        FreeBSD 5.2.1
        3 - NICS (de0, de1, de2)
        de1 = Public IP = 1.2.3.4
        de2 = LAN1 = 192.168.1.0
        de3 = LAN2 = 192.168.2.0

The challenge:
        1) TCP request from 192.168.1.247 to 1.2.3.4:80
        2) Redirect 1.2.3.4:80 to 192.168.2.250:80
        3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has
a
limitation in that it cannot redirect a public destination to a
private
destination if the source machine is on the same subnet as the
redirected
destination.  In other words, the following supposedly will not
work:
        1) A tcp request from 192.168.1.247 to 1.2.3.4:80
        2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list