'Re: PLease help me! problem with ipnat'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: PLease help me! problem with ipnat
From:       Steve Shorter <steve () nomad ! tor ! lets ! net>
Date:       2002-10-31 18:07:27
[Download RAW message or body]

On Thu, Oct 31, 2002 at 11:56:34AM -0500, nwhitehouse  wrote:
> Here is my problem.
> I have setup a FreeBSD 4.7 box with IPFILTER and IPNAT witch I plan to use for a \
> corp. firewall for my company. In my test enviorment I have a Win2k server behind \
> the BSD firewall with the main ip of 192.168.0.2 and also bound 192.168.0.93 & 94 \
> as well. In IIS I have 2 webs running, one on each IP.
> Now my firewall has 2 NICs external 208.63.55.77 with 208.63.55.93 and 208.63.55.94 \
> aliased to it. then I have the internal NIC 192.168.0.1.
> My IPFILTER rules are as follows.
> 
> pass out quick on fxp0 proto tcp from any to any keep state
> pass out quick on fxp0 proto udp from any to any keep state
> pass out quick on fxp0 proto icmp from any to any keep state

	Unless you want to indiscriminately allow all icmp into
you network (I wouldn't), keep state will allow for proper 
icmp "IP administration/maintentace type stuff" for already 
established connections.

> pass in quick on fxp0 proto tcp/udp from any to 208.63.55.77/32 port = 53 keep \
> state pass in quick on fxp0 proto tcp from any to 208.63.55.93/32 port = 80 keep \
> state pass in quick on fxp0 proto tcp from any to 208.63.55.94/32 port = 80 keep \
> state

	Packets traverse ipfilter rules after they have been rewritten
by ipnat. So these rules should reference 192.186.0.93 or whatever.

> block return-rst in log quick on fxp0 proto tcp from any to any
> block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp from any to any
> pass out quick on xl0 proto tcp from any to any keep state
> pass out quick on xl0 proto udp from any to any keep state
> pass out quick on xl0 proto icmp from any to any keep state
> pass in quick on xl0 proto tcp from any to any keep state
> pass in quick on xl0 proto udp from any to any keep state
> pass in quick on xl0 proto icmp from any to any keep state

	You probably don't need to keep state going in and out
on all connections.

> 
> My ipnat rules
> 
> map fxp0 192.168.0.0/20 -> 0/32
> bimap fxp0 208.63.55.93/32 -> 192.168.0.93/32
> bimap fxp0 208.63.55.94/32 -> 192.168.0.94/32
> 

	I use 

rdr fxp0 208.63.55.93/32 port http -> 192.168.0.93/32 port http


	-steve


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic