On Sunday 08 August 2004 04:38 pm, JJB wrote:
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from www.a1poweruser.com/FBSD_firewall/
The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.
> From what you posted looks like you want public internet users to
> access web server on one of your LAN machines. Both ipfw and
> ipfilter does this normally with port redirect.
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 126.96.36.199:80, where 188.8.131.52 is a PUBLIC ip number on the FreeBSD
internet gateway. Again, the configuration is
de0 = PUBLIC IP = 184.108.40.206
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 220.127.116.11:80 from the Internet
being redirected to 192.168.2.250. That works fine. But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 18.104.22.168:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall. It has
a public interface with an IP number of 22.214.171.124 and is assigned the DNS name
www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD. This works fine. But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
> You need to post
> more info about your system config.
> Post the full contents of your rc.conf and firewall rules files.
My rc.conf file is properly configured and has no bearing on my question. My
gateway works fine from public to private IP space and private to public IP
space. I've tried so many combination of rules and NATD options that I
wouldn't know what to post. What I need is someone who has completed a
similar configuration to send me their configuration (change the IP numbers
if you like). From what I can see, I don't believe this is possible with
stateful rules. Let me add that I've been successful with stateless rules,
but I'd like to use 100% stateful if possible.
> The limit you write about ipfilter is not true.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Sunday, August 08, 2004 2:11 PM
> To: [EMAIL PROTECTED]
> Subject: IPFW/NATD Transparent Proxy
> Anyone up for a challenge?
> I've come to the conclusion that IPFW/NATD cannot support
> proxying with ONLY stateful rules. I'd like to hear from anyone who
> been successful doing so in case I'm missing something.
> Configuration is:
> FreeBSD 5.2.1
> 3 - NICS (de0, de1, de2)
> de1 = Public IP = 126.96.36.199
> de2 = LAN1 = 192.168.1.0
> de3 = LAN2 = 192.168.2.0
> The challenge:
> 1) TCP request from 192.168.1.247 to 188.8.131.52:80
> 2) Redirect 184.108.40.206:80 to 192.168.2.250:80
> 3) Use stateful rules
> On another note, I read somewhere on the Internet that IPFILTER has
> limitation in that it cannot redirect a public destination to a
> destination if the source machine is on the same subnet as the
> destination. In other words, the following supposedly will not
> 1) A tcp request from 192.168.1.247 to 220.127.116.11:80
> 2) Redirect 18.104.22.168:80 to 192.168.1.100:80
> Is this an accurate limitation of IPFILTER?
> [EMAIL PROTECTED] mailing list
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"