At 19:03:29.38 on 3-JUN-2005 in message <[EMAIL PROTECTED]>, Billy
Newsom <[EMAIL PROTECTED]> wrote:
>Michael T. Davis wrote:
>> I posted this request back on 13-MAY, but I haven't received any
>> responses (private or to the list). If there's some archive material I
>> can review, please pass along a pointer.
>>
>>
>>> Is there any way to utilize ipnat with ipf when running as a bridge?
>>>In particular, we'd like to redirect various services from one side of the
>>>bridge to a specific address on the other side of the bridge. FWIW, we're
>>>running IPF v3.3.18 under OpenBSD v2.8.
>
>[...]
>Or, wait, maybe you are specifiying something else....
>In ipnat.rules...
> >
> >rdr <ext-if> <another-IP>/32 port 23 -> <telnet-IP> port 23 tcp
>
>No, I see what you did. The <another-IP> should be your firewall's IP
>address to the outside world. Usually a global IP (but in my case, I
>have an upstream NAT/Router and my firewall is actually in the
>192.168.1.0/24 subnet).
>
>That <another-IP> is not for the ipnat rules. It is only for ipfilter
>rules. The NAT router careth not for things of that sort.
>
>Note that my case seems to be a little simpler -- ipnat and ipfilter are
>on the same box here (is that your case?). You might need to throw in
>some fake or real IP addresses and rewrite your problem if this doesn't
>fix it or it's more complicated.
Yes, ipnat and ipfilter are on the same box. From your response,
though, it sounds like this isn't possible, unless the original IP address to
be redirected is that of the firewall. I require a mechanism for redirecting
traffic sent to one IP behind the firewall to another IP behind the firewall,
neither of which actually is (the IP address of) the firewall. The
documentation seems to imply this is possible when the firewall is acting as a
router, but I guess this functionality isn't available when the firewall is
working as a bridge.
Darren: Could you confirm this, please?
>
>[...]
>>
>> I should have also mentioned that the firewall is basically a turnkey
>> system...we can't really upgrade it.
>>
>>
>>> I tried using telnet as a test:
>>>
>>>In /etc/ipf.rules...
>>>
>>>pass in quick on <ext-if> proto tcp \
>>>from any to <telnet-IP> port = 23 flags S keep state
>>>
>>>In ipnat.rules...
>>>
>>>rdr <ext-if> <another-IP>/32 port 23 -> <telnet-IP> port 23 tcp
>>>
>>>The "<variables>" are just placeholders here for what, in practice, are
> actual
>>>entities (IP addresses or interfaces). Using `ipnat -l', I can see a
> session
>>>for the attempt I initiate from outside the firewall to <another-IP>:
>>>
>>>RDR <telnet-IP> 23 <- -> <another-IP> 23 [<outside-IP> 2496]
>>>
>>>
>>>...But the connection doesn't seem to get anywhere. (I don't see the
> expected
>>>login process initiate and the telnet client eventually times out.) Here,
>>>both <telnet-IP> and <another-IP> are behind (or inside) the firewall, and
>>><outside-IP> isn't. Assuming this should work, what other diagnostics
> could I
>>>enlist to help track down the problem?
>>>[...]
Thanks,
Mike
--
Michael T. Davis | Systems Specialist: CBE,MSE
E-mail: [EMAIL PROTECTED] | Departmental Networking/Computing
-or- [EMAIL PROTECTED] | The Ohio State University
http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928
