-----Forwarded Message----- From: G. Roderick Singleton <[EMAIL PROTECTED]> To: Jim Sandoz <[EMAIL PROTECTED]> Subject: Re: multiple external ips on external interface Date: Thu, 14 Oct 2004 13:43:27 -0400
On Thu, 2004-10-14 at 10:04, Jim Sandoz wrote: > jeet, > > ipfilter consists of two subsystems, "ipf" and "ipnat". > > ipf's task is to filter packets by using criteria which > you define in /etc/opt/ipf/ipf.conf. > > ipnat's task is to rewrite packets using criteria which > you define in /etc/opt/ipf/ipnat.conf > > you can use ipf and ipnat individually (by leaving the > config file nulled you effectively disable that function), > or you can use them in tandem. most folks use both. > there are some interactions between the two which i will > note in a moment. > > you will be interested in using ipnat to rewrite the IP > addresses of specific packets coming into your exterenal > interface. this will cause some packets to be routed by > your sparc into the private address space behind it. > > keep in mind that you need kernel routing enabled to do > this. if you sparc has two interfaces configured at boot > time it should do this automatically; otherwise you can > force it to do kernel routing via > # /usr/sbin/ndd -set /dev/ip ip_forwarding 1 > > but the direct answer to your question is "no", you don't > configure any additional IP addresses on your external > interface. however, you do need to add some rules to > ipnat's config file to rewrite specific address/port > pairs; one such example would be > rdr qfe0 10.10.10.1/32 port 80 -> 172.16.1.2 port 8080 tcp > this says > "any packets arriving on interface qfe0 with the destination > of 10.10.10.1:80 should be rewritten to have a destination > address of 172.16.1.2:8080, then given to ipf for filtering, > and if not blocked by ipf subsequently passed to the kernel > for routing" > > substitute your "external" interface (hme1?) for the qfe0 > above. > > the above statement implies that ipf is configured to accept > (i.e. "pass") packets that have a destination address of > 172.16.1.2:8080 -- this little tidbit causes trouble for > everyone. keep this in mind when writing ipf rules; ipf > has to deal with packets AFTER ipnat has rewritten them. > > you may be asking, "what happens to the reply packet coming > back out of the network from 172.16.1.2:8080"? well, ipnat > keeps a table of its translations, just like ipf keeps a > table of its states. hence, on the return journey, ipnat > rewrites the IP address back to the original. as far as the > remote machine is concerned, it is talking to your sparc and > has no knowledge that your sparc is actually frontending the > real physical webserver. > > you will want to read > http://www.phildev.net/ipf/ > and > http://www.obfuscation.org/ipf/ > > also see > http://marc.theaimsgroup.com/?l=ipfilter&m=105119861622589&w=2 > and > http://marc.theaimsgroup.com/?l=ipfilter&m=99608074705794&w=2 > and > http://marc.theaimsgroup.com/?l=ipfilter&m=101191495100723&w=2 > > jim > > In addition to what Jim recommends, I found http://www.pathtech.org/ip_fil_nat.html very useful when dealing with Solaris. It is old and it is not mine. > > Jeet wrote: > > Hi Everyone, > > I have started using ipfilters on solaris 9 sparc > > Ultra 10. > > > > However I have a small newbie question the external > > interface is > > > > e.g 10.10.10.1 internal 172.16.1.1 > > > > > > In order to set up something like this > > > > 10.10.10.2:80 - 172.16.1.2:8080 > > 10.10.10.3:80 - 172.16.1.3:8080 > > > > > > Do I have to configure the external interfaces with > > the external ip's or there is some way to get it > > working without that. > > > > Thanks a lot. > > -Jeet -- G. Roderick Singleton <[EMAIL PROTECTED]> PATH tech
