RE: ipfw, natd and routing question

From: John Keck (jkeck@NextLeft.COM)
Date: 06/12/01 

From: John Keck <jkeck@NextLeft.COM>
To: "'Robin Huiser'" <robin@bequbed.com>, freebsd-security@FreeBSD.ORG
Date: Tue, 12 Jun 2001 13:57:03 -0700

The first case diverts incoming packets for the DMZ, which you don't want.
The second case fails to divert response packets for the inside, which you
do want. Try:

 ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to not
x.x.242.48:255.255.255.240
via ${natd_interface}

Hope this helps...
J. Keck
NextLeft, Inc.
San Diego, CA USA
jkeck@nextleft.com

-----Original Message-----
From: Robin Huiser [mailto:robin@bequbed.com]
Sent: Monday, June 11, 2001 7:47 AM
To: freebsd-security@FreeBSD.ORG
Subject: FW: ipfw, natd and routing question

Hi all,

I hope someone can help me with this problem I'm trying to solve. I think
the answer is trivial, but so far I 'm stuck.

Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:

                                -- DMZ
                               /
               EXT--FIREWALL---
                               \
                                -- LAN

-The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
-The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
-The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24

I use NAT to 'route' traffic from the LAN to the Internet
I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet

So far, so good.

But... how do I prevent the NAT to 'translate' the IP addresses when a
session is set up from the DMZ segment to a host somewhere on the Internet?
I want all traffic to be routed from the DMZ subnet to the Internet...

I've tried to alter the natd rule, without any success.
The rules I tried didn't work or had bad side effects, so I moved back to
the standard natd rule, but everything gets NAT-ed now...

Some examples I tried:

#
# The rule below works, but the it causes TCP/IP timeouts and a *very* slow
# connection between the DMZ and EXT subnets...
#
${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any
via ${natd_interface}

#
# The rule below doesn't work at all (?) Don't know why...
#
${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via
${natd_interface}

Please advise...

Cheers -- Robin

__________________________________________________________________

Robin Huiser robin@bequbed.com
BeQubed N.V. http://www.bequbed.com

Veenwal 130 tel: +31 (30) 6023 626 (OFFICE)
3432 ZE +31 (6) 2061 9842 (MOBILE)
Nieuwegein fax: +31 (30) 6586 090
The Netherlands
__________________________________________________________________

======================Confidential Disclaimer=====================

The information contained in this communication is confidential and is
intended solely for the use of the individual or entity to whom it is
addressed. You should not copy, disclose or distribute this communication
without the authority of BeQubed N.V. BeQubed is neither liable for the
proper and complete transmission of the information contained in this
communication nor for any delay in its receipt.
BeQubed does not guarantee that the integrity of this communication has been
maintained nor that the communication is free of viruses, interceptions or
interference.

If you are not the intended recipient of this communication please return
the communication to the sender and delete and destroy all copies.

In carrying out its engagements, BeQubed applies general terms and
conditions, which contain a clause that limits its liability. A copy of
these terms and conditions is available on request free of charge.
==================================================================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Trihomed DMZ just doesnt work
    ... about the external subnet containing the DMZ subnet. ... with you that my configuration should be.. ... Is it possible that ISA will not route correctly using a /25 subnet? ...
    (microsoft.public.isa)
  • Re: Trihomed DMZ just doesnt work
    ... It worked when I played a bit with tri-homed configuration ... >> about the external subnet containing the DMZ subnet. ... >> Unless I'm missing the obvious, the external subnet contains the DMZ ...
    (microsoft.public.isa)
  • Netscreen 25 DMZ Routing
    ... The boxes in the DMZ need to have public routed IP-s (NO MIP,VIP ... I have an IP subnet of /28 which I have divided into two 29/s and ... Interfaces in vsys Root: ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Internet accessible screened subnet - use public or private IPs?
    ... Presently we use a private IP address range for this that is ... > public IPs in the DMZ? ... public stuff should be on its own physical subnet. ... Paul D. Robertson "My statements in this message are personal opinions ...
    (Firewall-Wizards)
  • Re: [fw-wiz] firewall-wizards Digest, Vol 20, Issue 13
    ... The 3rd line in your dmz access-list will not deny traffic from the ... inside when communication is initiated from the inside. ... many companies deny traffic out from the inside network ... The short answer to your question is that PIX access-lists are read, ...
    (Firewall-Wizards)