Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease

From: billy (billy@isilon.com)
Date: 09/25/02 

Date: Wed, 25 Sep 2002 13:43:23 -0700 (PDT)
From: billy <billy@isilon.com>
To: Juraj Petrik <juro@software602.sk>

On Wed, 25 Sep 2002, Juraj Petrik wrote:

> hello,
> can you help me, please,
>
> I'm trying to run firewall with using
> IPFilter, IPNAT and Dummynet, on FreeBSD
>
> I'm readed so much HOWTOs but, I can't do
> redirection to another server in internal
> network:
> rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box
> rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box
> rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box
>
> my server is now on LAN, not on DMZ.
>
> I'm using FreeBSD 4.7 prerelease from CVS.
>
> In kernel config have added:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=30
> options IPFIREWALL_FORWARD
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPDIVERT
> options DUMMYNET
>
> options IPFILTER
> options IPFILTER_LOG
> options IPFILTER_DEFAULT_BLOCK
> options RANDOM_IP_ID
>
> in /etc/rc.conf have:
> tcp_extensions="YES"
> gateway_enable="YES"
> portmap_enable="NO"
>
> #firewall_enable="YES"
> #firewall_type="/etc/dummynet.conf"
> #firewall_logging="NO"
>
> ipfilter_enable="YES"
> ipfilter_flags=""
> ipfilter_rules="/etc/ipf.conf"
>
> ipnat_enable="YES"
> ipnat_flags=""
> ipnat_rules="/etc/ipnat.conf"
>
> ipmon_enable="YES"
> ipmon_flags="-Dns -l block"
>
> in /etc/ipf.conf:
> pass in log all
> pass out log all
>
> in /etc/ipnat.conf:
> map rl0 192.168.1.0/24 -> 194.x.x.22/32
> map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp
>
> map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000
> map rl0 192.168.1.0/24 -> 194.x.x.22/32
>
> rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80
> rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22
>
> NAT from LAN to internet works OK,
> but from Internet I can't redirct connect to server
> on LAN (192.168.1.35)
>
> Please help me ANYBODY!!!!
> -jp-
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • RE: Firewall Rule Set not allowing access to DNS servers?
    ... > My LAN is configured with static IP addresses, ... > I have full connectivity with the internet from every machine on my ... > # Allow out access to my ISP's Domain name server. ... > # Interrogate packets originating from the public internet ...
    (freebsd-questions)
  • RE: pppNAT woes =(
    ... You say that in current configuration you can get on internet from ... performing NAT function for you. ... FreeBSD box unless you want to run one of the 3 FreeBSD firewalls to ... How LAN is cabled is too large of subject to ...
    (freebsd-questions)
  • Re: MSSQL Server Gateway
    ... I personaly don't think it's possible to do this with ISA and/or Proxy ... Server but I was told otherwise and just try to figure out if I'm wrong ... - Client in private LAN wants data from SQL Server DB in secure private ... to the other LAN Segment but have a "nat relationship" to the Internet ...
    (microsoft.public.isa)
  • New user questions :)
    ... For the last year or so I have been using SME server (an optimised Linux ... HTTP/Samba - all configurable from a Web browser on the LAN) ... In the meantime I decided to try FreeBSD and am dual booting into ...
    (freebsd-questions)
  • ISA configuration
    ... configured with a Proxy configuration pointing to your ... Server on port 8080. ... all destinations for the Backoffice Internet Users group. ... pointing to the primary LAN address by opening your FW ...
    (microsoft.public.windows.server.sbs)