|
Author: Kyp
Date: 20-10-00 23:53
Hi guys,
I'd like to set up a firewall using REAL ips in the internal network.
ie: I want to run servers on the inside, such as 2 apache servers, etc, where they are still reachable via external ip. How can I set this up?
|
|
Reply To This Message
|
|
Author: Dan Langille
Date: 21-10-00 00:21
Well, AFAIK, the same as if you weren't using real IPs. What seems to be the issue?
|
|
Reply To This Message
|
|
Author: Tass
Date: 22-10-00 08:36
Did you mean that you want 2 machines on a private network to be accessable by REAL IPs from the public world? Or you want 2 REAL world IP boxes to be bhind a firewall but still accessable?
The approach would the same (almost) for both, but you will need to let us know which of the two you mean...
|
|
Reply To This Message
|
|
Author: Kyp
Date: 23-10-00 18:45
I want 2 real world IP boxes to be behind a firewall and still accessable.
My main problem is that there seems to be little documentation on this. the firewall is on DEFAULT_TO_ACCEPT (hence it's currently for logging purposes only), but I want to be able to run the apache servers behind it. Whenever I try to specify real ips I get the well known 'I'm getting a request from xxx.xxx.xxx.xxx on this ethernet, but I see it on THIS ethernet'... :o/
Thanks for helping.
|
|
Reply To This Message
|
|
Author: Dan Larsson
Date: 24-10-00 18:10
This should be enough:
/sbin/ipfw -q add 1000 pass tcp from any to www.mywebserver.org 80 setup
/sbin/ipfw -q add 1010 pass tcp from www.mywebserver.org 80 to any
/sbin/ipfw -q add 1020 pass tcp from any to www.mywebserver.org 80
Or am I missing something here?
|
|
Reply To This Message
|
|
Author: Tass
Date: 24-10-00 18:50
Are you using IPF of IPFLITER ?
If you are using IPFLITER than i can give you a bunch of help since I do this at home and work ..
|
|
Reply To This Message
|
|
Author: Kyp
Date: 24-10-00 19:03
I had something similar, but it may just be syntax. ipfw is picky about that sort of thing. Thank you. :o)
|
|
Reply To This Message
|
|
Author: Tass
Date: 24-10-00 19:09
I would highly advise it. It is faster and more robust than IPFW (I know the new version is in the works Will (: ).
It has a lot of pages with help for it, and it works very well. The NAT component even allows you to do VPN from within your network to another one, something NATD has trouble with.
Check out:
http://coombs.anu.edu.au/~avalon
http://www.obfuscation.org/ipf
http://false.net/ipfilter/
That should give you a ton of help, plus you can email me (:
|
|
Reply To This Message
|
|
Author: Kyp
Date: 24-10-00 21:20
Everything that I did before posting was correct...
Everything you guys suggested was, again, correct.
It still didn't work.
Reason?
1) Specify in the kernel:
options BRIDGE #Adds Ethernet Bridge Support
2) Configure the routing:
sysctl -w net.link.ether.bridge=1
sysctl -w net.link.ether.bridge_ipfw=1
How easy is that?
|
|
Reply To This Message
|
|
