A simple rule of thumb is:
- "map" on outgoing interface
- "redirect" on receiving interface
so do your rdr on both the external and the internal interfaces, instead of
the dmz interface.
(by the way, be precise when you talk about interfaces, cos' when you say
"the interface on the firewall is xp2", I personally understand that you're
talking about
the one attached to the DMZ, but there is a potential for confusion here).
so just add an address to the external interface (the 123.1.1.2 address)
PS. As far as I could find, "rdr" works only for TCP and UDP, and requires
a port (you can't
redir all ports this way). If you need more flexibility, you might want to
try bimap, but then
you'd better don't make errors in ipf.conf:).
Here is an example of ipnat.conf:
# Dmz official addr: 123.1.1.2
# DMZ private addr: 172.16.1.2
# external interface: ifout
# internal interface: ifin
# dmz interface: ifdmz
# redirect web for outsiders
rdr ifout 123.1.1.2/32 port 80 -> 172.16.1.2 port 80 tcp
# redirect web for insiders
rdr ifin 123.1.1.2/32 port 80 -> 172.16.1.2 port 80 tcp
# map outgoing (first for tcp and udp, second line for the rest)
map ifout insideaddrs/insidemask -> 123.1.1.1/32 portmap tcp/udp 20000:30000
map ifout insideaddrs/insidemask -> 123.1.1.1/32
#map insiders going to dmz
XXX: same as the 2 above rule, with ifout replaced by ifdmz
#map dmz going out (only if you need to access outside from dmz host)
map ifout 172.16.1.2/32 -> 123.1.1.2 portmap tcp/udp 20000:30000
#you might want to map non tcp/udp also, so that you can ping...
cheers,
mouss
At 19:13 07/03/01 -0500, Mason Harding wrote:
>Sorry if this message went out twice.....
>
>HI! I am trying to implement a DMZ on a FreeBSD firewall I am building. It
>is using squid for transparent proxy, ipf for Statefull packet forwarding,
>and ipfw/dummy net for rate limiting. Everything was going well until I got
>to the DMZ part.
>
>I have(fake IP addresses) a registered class C subnet of 123.1.1.1, and am
>setting the DMZs network to 172.16.1.0. The Web server in the DMZ has an ip
>address of 172.16.1.2, and the interface on the firewall is fxp2,
>172.16.1.1. I can not seem to figure out for the life of me how to make
>this work. My first guess was to set up ipnat as follows...
>
>map fxp2 from 0.0.0.0/0 to 123.1.1.2 -> 172.16.1.2
>
>but when I would try to telnet to any open port or ping the web server on
>the 123.1.1.2 ip address, nothing would go across the fxp2 interface(per
>tcpdump). Next I tried to map a specific port, for instance...
>
>rdr fxp2 123.1.1.2 port 80 -> 172.16.1.2 port 80 tcp
>
>once again, nothing would go across fxp2. Am I going about this DMZ thing
>in the wrong way?
>
>Thank you very much for your help!
>Mason
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
