IPFW a kernet NAT

Petr Valenta xvalen at gmail.com
Thu Aug 9 10:43:16 CEST 2012

Previous message: tipy na server
Next message: IPFW a kernet NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zdravim,

uz nejaky ten tyden si hraju s IPFW a in-kernel NATem. Premyslim, jak
elegantne vyresit NAT do DMZ, kdy je problem s ICMP a UDP, protoze jsou
nestavove.
Pravidlo 10100 mi povoli SYN pakety jdouci z DMZ (a dale budou
pokracovat do internetu). Neco podobneho bych potreboval s ICMP a UDP a
to predtim, nez paket dorazi na pravidlo 10200, ktere ho zahodi, pokud
se nejedna o odpoved na pozadavky prichazejici z $lan_if (v NAT tabulce).

Problem je v tom, ze pravidla pred 10200 musi byt natolik chytra, aby
nepasovala na odpovedi do $lan_if. Takove demonstracni chybne pravidlo
je 10100, diky kteremu se mi nevrati pingy puvodne z $lan_if do $dmz_if,
kdyz do $lan_if poustim pouze pakety tagged 2.

Existuje na to vubec nejake elegantni reseni pro IPFW, krome presne
specifikace pravidel typu udp jdouci na port 53, atd atd...?

Diky

Petr



# DEMILITARIZOVANA ZONA  (em0)
#
# NAT
$fwcmd nat 2 config ip $public_ip deny_in same_ports

# IN na DMZ_IF
$fwcmd add 10000 count all from any to any in recv $dmz_if
$fwcmd add 10100 allow all from any to any in recv $dmz_if setup


$fwcmd add 10100 allow icmp from any to any in recv $dmz_if
                // povoluje ICMP
$fwcmd add 10200 nat 2 log tag 2 all from any to any in recv $dmz_if
                // taguje pakety prochazejici NATem na dmz_if

Previous message: tipy na server
Next message: IPFW a kernet NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list