OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nickolay A. Kritsky (nkritskyinternethelp.ru)
Date: Wed Apr 03 2002 - 10:53:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello Asenchi,

    Wednesday, April 03, 2002, 8:16:31 PM, you wrote:

    A> hello,

    A> i am somewhat new at fbsd, and i am setting up a firewall for a network. I
    A> have a question about configuring three nics to handle dmz stuff along with
    A> the internal network.

    A> here is my setup:

    INTERNET ->> [oif=vr0 1.1.1.1] -> [iif1=xl0 10.10.0/24] -> NETWORK
    A> |
    A> [iif2=rl0 10.10.1/24] -> DMZ (Webserver/Email/FTP)

    A> Here is how my configuration is setup:

    A> I have IPFW built into the kernel. Right now I have built my own
    A> rc.firewall file and am using that. I also have natd running and enabled in
    A> rc.conf.

    A> I guess I don't know what else you would need, if you want me to send along
    A> my configurations I can do that.

    A> Here is my question. How do I redirect incoming packets that want to go to
    A> my website to my DMZ side of the network? I have read about -redirect_port
    A> | -redirect_address but really don't understand how that will filter the
    A> traffic. I need to read a little more but thought maybe somebody on this
    A> could give me some direction.

    maybe an example will help you.
    if you add following line to your natd.conf file:
    redirect_port tcp 10.0.1.1:25 1.1.1.1:25

    then all tcp traffic coming to your box, port 25 from internet will be
    forwarded to machine 10.0.1.1 port 25 (in DMZ network).

    A> I guess I should simplify the question. How do i route traffic that is
    A> trying to reach my website? How do I specify the correct traffic? Can I
    A> use a host name instead of an ip address in natd configurations?

    yes, you can use host names and port names along with numeric
    equivalents, like
    mail.domain.com:25
    mail.domain.com:smtp
    1.2.3.4:smtp
    1.2.3.4:25

    A> Sorry if this is too much, I hope I have layed out my question so that you
    A> can help me. Please respond to the group with any direction you could give
    A> me.

    A> Thank you,

    A> ASENCHI

    ;-------------------------------------------
    ; NKritsky
    ; mailto:nkritskyinternethelp.ru

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message