On Sunday 08 August 2004 04:38 pm, JJB wrote:
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from  www.a1poweruser.com/FBSD_firewall/

The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.  

> From what you posted looks like you want public internet users to
> access web server on one of your LAN machines. Both ipfw and
> ipfilter does this normally with port redirect.

No, I want a user on to be redirected to when 
they request, where is a PUBLIC ip number on the FreeBSD 
internet gateway.  Again, the configuration is
        de0 = PUBLIC IP =
        de1 =
        de2 =

I don't have a problem with incoming requests for from the Internet 
being redirected to  That works fine.  But I want someone on to ALSO be redirected to when they request the 
public address

Put another way, I have a FreeBSD server acting as a Router/Firewall.  It has 
a public interface with an IP number of and is assigned the DNS name 
www.ishouldhaveusedipfilter.com.  It also has a second NIC that supports a 
private address space of and a third NIC that 
supports a private address space of

When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com 
they get redirected to because I've included a redirect_port 
rule for NATD.  This works fine.  But, users on all private networks (I have 
two, but there could be 20) also need to be redirected to when 
they try to go to www.ishouldhaveusedipfilter.com   So the user sitting at shouldn't have to worry about putting in the IP number of the 
company web server, they should just be able to put in the company domain 
name (www.ishouldhaveusedipfilter.com) and be redirected to 
just like anyone coming from the outside.

> You need to post
> more info about your system config.
> Post the full contents of your rc.conf and  firewall rules files.

My rc.conf file is properly configured and has no bearing on my question.  My 
gateway works fine from public to private IP space and private to public IP 
space.  I've tried so many combination of rules and NATD options that I 
wouldn't know what to post.  What I need is someone who has completed a 
similar configuration to send me their configuration (change the IP numbers
if you like).  From what I can see, I don't believe this is possible with 
stateful rules.  Let me add that I've been successful with stateless rules, 
but I'd like to use 100% stateful if possible.

> The limit you write about ipfilter is not true.

> -----Original Message-----
> [mailto:[EMAIL PROTECTED] Behalf Of
> Sent: Sunday, August 08, 2004 2:11 PM
> Subject: IPFW/NATD Transparent Proxy
> Anyone up for a challenge?
> I've come to the conclusion that IPFW/NATD cannot support
> transparent
> proxying with ONLY stateful rules.  I'd like to hear from anyone who
> has
> been successful doing so in case I'm missing something.
> Configuration is:
>         FreeBSD 5.2.1
>         3 - NICS (de0, de1, de2)
>         de1 = Public IP =
>         de2 = LAN1 =
>         de3 = LAN2 =
> The challenge:
>         1) TCP request from to
>         2) Redirect to
>         3) Use stateful rules
> On another note, I read somewhere on the Internet that IPFILTER has
> a
> limitation in that it cannot redirect a public destination to a
> private
> destination if the source machine is on the same subnet as the
> redirected
> destination.  In other words, the following supposedly will not
> work:
>         1) A tcp request from to
>         2) Redirect to
> Is this an accurate limitation of IPFILTER?
> J
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to