Sorry,
this mail was for the ipfilter's list...
Box:freeBSD 6.0, ipf: IP Filter: v4.1.8 (416), Kernel: IP Filter: v4.1.8
Network layout:
---
other building [ PCs - 192.168.80.0/24 ]
|
g1 (ipf - vr0:192.168.80.2 - sis0:10.10.10.13)
|
My Lan ( 10.10.10.0/24 )
[ PCs (DefaultGw = g2) ]
[ MailSrv (10.10.10.12) (pop3/smtp/ssh) (DefaultGw = g2) ]
[ WebSrv (10.10.10.11) (http) (DefaultGw = g1) ]
|
g2
|
Internet
ipnat.rules
---
map vr0 10.10.10.0/24 - 192.168.80.2/32 proxy port 21 ftp/tcp
map vr0 10.10.10.0/24 - 192.168.80.2/32
rdr vr0 192.168.80.2/32 port 80 - 10.10.10.11 port 80 tcp
rdr vr0 192.168.80.2/32 port 22 - 10.10.10.12 port 22 tcp
rdr vr0 192.168.80.2/32 port 25 - 10.10.10.12 port 25 tcp
rdr vr0 192.168.80.2/32 port 110 - 10.10.10.12 port 110 tcp
ipf.rules
-
### No restrictions inside LAN Interface ###
pass out quick on sis0 all
pass in quick on sis0 all
### No restrictions on Loopback Interface ###
pass out quick on lo0 all
pass in quick on lo0 all
### Allow out DNS queries ###
pass out quick on vr0 proto tcp from any to 192.168.10.5 port = 53 flags S
keep state
pass out quick on vr0 proto udp from any to 192.168.10.5 port = 53 keep
state
### Allow IE out ###
pass out quick on vr0 proto tcp from any to any port = 80 flags S keep
state
### Allow Squid Access out ###
pass out quick on vr0 proto tcp from any to any port = 3128 flags S keep
state
pass out quick on vr0 proto tcp from any to any port = 3130 flags S keep
state
### Allow FTP out ###
pass out quick on vr0 proto tcp from any to any port = 21 flags S keep
state
### Allow Remote Desktop to WinXP external PCs ###
pass out quick on vr0 proto tcp from any to any port = 3389 flags S keep
state
### Allow MailServer to Deliver mails ###
pass out quick on vr0 proto tcp from any to any port = 25 flags S keep
state
### Block and Log only first occurrence of everything ###
block out log first quick on vr0 all
### Block all inbound traffic from non-routable or reserved address spaces
...
### Allow in ssh session from other building ###
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep
state
### Allow in HTTP session from public to Internat MailServer ###
pass in quick on vr0 proto tcp from any to any port = 80 flags S keep
state
### Allow in SMTP access to Internal Mail Server ###
pass in quick on vr0 proto tcp from any to any port = 25 flags S keep
state
### Allow in POP3 access to Internal Mail Server ###
pass in quick on vr0 proto tcp from any to any port = 110 flags S keep
state
### Block and log anly first occurence of all remaining traffic ###
block in log first quick on vr0 all
The situation:
--
...if the server(MailSrv) is redirected to G1, the users are able to
connect themselves to the services. To be sure about it I redirected the
server(WebSrv) with apache that before was pointing to G1 to G2(internet)
and the access was broken for the other building...
Why happen this?
If I understand your description, it could be mapped like this:
net1 is the other building's network
net1pc1 .. net1pcN
net2 is your network
net2pc1 .. net2pcN
net2server1 .. net2server3
g1 == net1,net2
g2 == net2,Internet
Assumptions:
net1 and net2 are private
the default gateway for g1 is g2
g1 is using a map rule to nat net1 hosts to net2
the default gateway for g2 is on the Internet
g2 is using a map rule to nat net2 hosts to the Internet
If a net1 PC connects through g1, it would be mapped as coming from g1.
Since g1 is on net2, and g2 can route to net2, the servers using g2 as
the default route should have no problem. My assumptions may be false.
Would you post the g1 and g2 ipf.conf and ipnat.conf, and specify what
the net1 and net2 CIDR?
Thank you,
Ben
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
--
Efren Bravo
Sistemas DHL-Cuba
Telf-Pizarra: (537)-2041578 Ext 123
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
