The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Firewall using real ips
Author: Kyp 
Date:   20-10-00 23:53

Hi guys,
I'd like to set up a firewall using REAL ips in the internal network.
ie: I want to run servers on the inside, such as 2 apache servers, etc, where they are still reachable via external ip. How can I set this up?

Reply To This Message
 
 RE: Firewall using real ips
Author: Dan Langille 
Date:   21-10-00 00:21

Well, AFAIK, the same as if you weren't using real IPs. What seems to be the issue?

Reply To This Message
 
 RE: Firewall using real ips
Author: Tass 
Date:   22-10-00 08:36

Did you mean that you want 2 machines on a private network to be accessable by REAL IPs from the public world? Or you want 2 REAL world IP boxes to be bhind a firewall but still accessable?

The approach would the same (almost) for both, but you will need to let us know which of the two you mean...


Reply To This Message
 
 Little more indepth here... thankees
Author: Kyp 
Date:   23-10-00 18:45

I want 2 real world IP boxes to be behind a firewall and still accessable.

My main problem is that there seems to be little documentation on this. the firewall is on DEFAULT_TO_ACCEPT (hence it's currently for logging purposes only), but I want to be able to run the apache servers behind it. Whenever I try to specify real ips I get the well known 'I'm getting a request from xxx.xxx.xxx.xxx on this ethernet, but I see it on THIS ethernet'... :o/
Thanks for helping.

Reply To This Message
 
 RE: Little more indepth here... thankees
Author: Dan Larsson 
Date:   24-10-00 18:10

This should be enough:

/sbin/ipfw -q add 1000 pass tcp from any to www.mywebserver.org 80 setup
/sbin/ipfw -q add 1010 pass tcp from www.mywebserver.org 80 to any
/sbin/ipfw -q add 1020 pass tcp from any to www.mywebserver.org 80

Or am I missing something here?

Reply To This Message
 
 RE: Little more indepth here... thankees
Author: Tass 
Date:   24-10-00 18:50

Are you using IPF of IPFLITER ?

If you are using IPFLITER than i can give you a bunch of help since I do this at home and work ..



Reply To This Message
 
 Hrmm
Author: Kyp 
Date:   24-10-00 19:01

I haven't played with IP filter yet... is it worth switching to?

Reply To This Message
 
 I will start over and try that.
Author: Kyp 
Date:   24-10-00 19:03

I had something similar, but it may just be syntax. ipfw is picky about that sort of thing. Thank you. :o)

Reply To This Message
 
 RE: Hrmm
Author: Tass 
Date:   24-10-00 19:09

I would highly advise it. It is faster and more robust than IPFW (I know the new version is in the works Will (: ).

It has a lot of pages with help for it, and it works very well. The NAT component even allows you to do VPN from within your network to another one, something NATD has trouble with.

Check out:
http://coombs.anu.edu.au/~avalon
http://www.obfuscation.org/ipf
http://false.net/ipfilter/

That should give you a ton of help, plus you can email me (:

Reply To This Message
 
 :oD
Author: Kyp 
Date:   24-10-00 19:13

Thank you! I will look into this.
A new project ;o)

Reply To This Message
 
 Success! Details inside
Author: Kyp 
Date:   24-10-00 21:20

Everything that I did before posting was correct...
Everything you guys suggested was, again, correct.
It still didn't work.
Reason?

1) Specify in the kernel:
options BRIDGE #Adds Ethernet Bridge Support
2) Configure the routing:
sysctl -w net.link.ether.bridge=1
sysctl -w net.link.ether.bridge_ipfw=1

How easy is that?


Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org