SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 06:23 AM
| ||||
| ||||
 Newbie NAT Q I must be doing something wrong, but I can't figure out what..... I am trying to bring up a simple firewall, one that does NAT, and a bit of port forwarding. Here's my rules: inet_if="ep2" lan_if="ep1" lan_net="192.168.128.0/8" inet_net="0.0.0.0/32" forward_services = "{ smtp, http, imap, vtun, rsync }" local_services = "{ ssh }" server=tooth.seiner.lan scrub in all nat pass on $inet_if from $lan_if:network to any -> ($inet_if) rdr on $inet_if proto tcp from any to any port smtp -> $server rdr on $inet_if proto tcp from any to any port http -> $server rdr on $inet_if proto tcp from any to any port imap -> $server rdr on $inet_if proto tcp from any to any port vtun -> $server rdr on $inet_if proto tcp from any to any port rsync -> $server pass in on $inet_if inet proto tcp from any to $inet_if \ port $forward_services flags S/SA synproxy state pass in on $inet_if inet proto tcp from any to $inet_if \ port $local_services flags S/SA synproxy state pass on lo0 all pass on $lan_if from $lan_if:network to any block in on $inet_if all pass out on $inet_if from any to any keep state pass out on $lan_if from any to any keep state I have net.inet.ip.forwarding=1 #net.inet6.ip6.forwarding=1 set in syscntl.conf. But it seems like I'm missing something since NAT appears to be failing. From an internal machine, I can ping both interfaces on the firewall. From the firewall, I can ping both internal machines and anywhere on the internet. From an internal machine, I cannot reach the web. Name resolution works on the firewall, not on the internal machines, but the firewall can only reach external DNS, not my internal DNS. I've read the FAQ, but either I'm missing something or my machine is posessed. ;-) Is the something else I need to turn on to allow NAT/firewall/etc? In the above scenario, tooth is the main server. It provdes web, DNS, DHCP, etc. to the whole network. It will also provide web, VPN, rsync, imap and smtp from the web. ssh connections will be handled by the firewall. There should be unrestricted traffic between any workstation to the internet. Just to test my theory that I'm not as dumb as a rock, I edited the FAQ example1 firewall script to include my correct interface names, and got exactly the same result - I can ping the world from the firewall, but no traffice flows if it has to be NATed. Any suggestions, ideas, jeers? :-)      |
Linear Mode
