Re: ipnat syntax error?
Erik Nørgaard wrote: .. snip .. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik Erik, Thank you again for your advice. Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with just one map with portmaps. Please note that the - for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. Thanks again. Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Juergen Heberling wrote: Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with just one map with portmaps. Please note that the - for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. check out packet filter as an alternative, you can map any pool of addresses as you like: http://openbsd.org/faq/pf/nat.html You can use a list or a table to specify what src addresses are mapped to what dst addresses. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipnat syntax error?
You can use this format of the ipnat map command map dc0 10.0.10.1/29 - 20.20.20.5-20.20.20.7 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Erik Norgaard Sent: Monday, April 03, 2006 7:45 AM To: Juergen Heberling Cc: freebsd-questions@freebsd.org Subject: Re: ipnat syntax error? Juergen Heberling wrote: Due to historical reasons I can not just take a /29 or /30 block out of the middle of the cidr I will ultimately use -- this FreeBSD server will implement a firewall on an existing connection replacing an old Cisco router that only NAT'd. So I will see if things can work with just one map with portmaps. Please note that the - for the range syntax is documented in several places, not just the FreeBSD handbook and should probably be fixed. check out packet filter as an alternative, you can map any pool of addresses as you like: http://openbsd.org/faq/pf/nat.html You can use a list or a table to specify what src addresses are mapped to what dst addresses. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
fbsd_user wrote: You can use this format of the ipnat map command map dc0 10.0.10.1/29 - 20.20.20.5-20.20.20.7 .. snip .. The above version of the command also results in a syntax error at the -. Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Juergen Heberling wrote: /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. I tried your suggestion of using the cidr notation format and that work; thank you! However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the range specification on the map command. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipnat syntax error?
Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at -, line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. TIA Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Juergen Heberling wrote: Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at -, line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. It seems to be a documentation bug, the ipf-howto.txt distributed with ipfilter makes no mention of that notation, instead you should use cidr notation, for example 204.134.75.0/29 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipnat syntax error?
Erik Nørgaard wrote: Juergen Heberling wrote: Could someone please check me on this ... fw1# ipnat -CFn -f /etc/ipnat.rules 0 entries flushed from NAT table 1 entries flushed from NAT list syntax error error at -, line 1 /etc/ipnat.rules contains: map em0 192.168.1.0/24 - 204.134.75.1-10 .. snip .. line 1 in the rules file is the example from the FreeBSD handbook. I'm running FreeBSD6.0 stable. It seems to be a documentation bug, the ipf-howto.txt distributed with ipfilter makes no mention of that notation, instead you should use cidr notation, for example 204.134.75.0/29 Erik Erik, Thank you for the quick response. I tried your suggestion of using the cidr notation format and that work; thank you! However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the range specification on the map command. TIA for any suggestions. Juergen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
