Thanx Jim! I missed the from keyword, you were right!
Thanks also for the bug problem, infact I have all ssh connection timing out
easily.
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
-= Mail sent through WebTop2 =-
----------------------------------------------------------------------------------
Da: Jim Klimov
A: Gabriele Bulfon
Cc: [email protected]
Data: 10 marzo 2010 22.14.31 CET
Oggetto: Re: Nat to specific destination not accepted
Maybe the email clients digested part of your rule example,
but it seems to miss the "from" keyword.
Our firewall machine (currently with native IPFilter from
OpenSolaris snv_129 x86_64) also runs OpenVPN as
both a client (to access remote nets from ours) and as a
server (for remote employees).
We have rules like those below working to squeeze both
remote-vpn users (private net processed between OpenVPN
instances on the firewall server and employees' clients)
and all our office-defined networks into one IP of the
other remote network - to which our firewall is a client.
For example, we access one net 192.168.1.0/24 using
a fixed private OpenVPN IP address in their DMZ
192.168.10.101, and the firewall knows of a route
to 192.168.1.0/24 via 192.168.10.1 accessible
thru the "tap0" interface. So here go the NAT rules
for both the remote DMZ net and their internal net
we need access to:
map tap0 from any to 192.168.10.0/24 -192.168.10.101/32 portmap
tcp/udp auto age 600
map tap0 from any to 192.168.1.0/24 -192.168.10.101/32 portmap tcp/udp
auto age 600
map tap0 from any to 192.168.10.0/24 -192.168.10.101/32 age 600
map tap0 from any to 192.168.1.0/24 -192.168.10.101/32 age 600
As an offtopic note: the OpenSolaris native IPF was
compiled with small defaults for TCP state table, so
many of our SSH sessions were timing out abruptly.
This bug report I found has a working workaround:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6900850
HTH,
//Jim
Gabriele Bulfon ?????:
Hello,
I need to run a specific nat on a Sun T2000 machine running "Solaris 10 11/06
s10s_u3wos_10 SPARC".
The running ipfilter is not the original one coming with Solaris 10, I removed
it and installed
from sources "IP Filter: v4.1.28 (600)" and it's working great since may 2009.
The machine has 2 ethernets, one public (e1000g0) and one private (ce0).
Normal nats and firewall rules already run great.
Now, I have a router (192.168.102.134) in the LAN going to a vpn (to
192.168.138.0).
This router accepts connections only from the T2000 private IP
(192.168.102.102).
I need to masquerade private traffic coming from (192.168.122.x, another
private network
coming from another vpn) going to 192.168.138.0 with the T2000 private ip.
The source vpn routers are already configured to route traffic going to
192.168.138.0 through
the T2000 ip.
Looking at the documentation, I tried doing this:
map ce0 192.168.122.0/24 to 192.168.138.0/24 -192.168.102.102/32
but reloading the rules, ipnat complains that the "to" keyword is a bad
syntax...
Why?
Gabriele.
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
-= Mail sent through WebTop2 =-
--
+============================================================+
| |
| ?????? ???????, Jim Klimov |
| ??????????? ???????? CTO |
| ??? "??? ? ??" JSC COS&HT;|
| |
| +7-903-7705859 (cellular) mailto:[email protected] |
| CC:[email protected],[email protected] |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+
