[ previous ] [ next ] [ threads ]
 
 From:  Paul Phillips <paul at partitura dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  NAT questions
 Date:  Tue, 30 Dec 2003 13:49:32 -0600
Hello, everyone...

I am new to m0n0wall - I wrote an IPTables firewall from scratch once, 
though, so this is not entirely uncharted territory for me.  
Congratulations to the developers - this is wonderful software.

I have two questions...

1) IP alias addresses.

My ISP assigns me a small block of static addresses that must all be on 
the WAN interface of my firewall.  I read the mailing list archives, 
and found out that I could use the exec.php page of the GUI to give me 
a command line.  From there I used ifconfig to bring up the aliases on 
that interface.

Then I entered them in the 1:1 NAT section, mapping them to DMZ 
addresses.  I haven't tested yet to see if anything actually works..

However, I was surprised to find on a restart that those IP alias 
addresses were still up! (as reported by ifconfig).  I didn't have to 
reenter them using the exec.php page.  Why is this?  Did listing them 
in the 1:1 NAT section take care of bringing them up when the system 
boots?

2) A rule question for 1:1 NAT...

Lets say I have a firewall with two interfaces:

WAN 20.20.20.1 - also has an IPalias 20.20.20.2

DMZ iface 192.68.0.1/24 --> on this DMZ net segment  is a host -> 
192.168.0.59

and I do 1:1 NAT mapping 20.20.20.2 -> 192.168.0.50

To allow http (port 80) traffic ONLY to 192.168.0.50, I need to write 
two rules, right?

First rule - allows port 80 to enter the firewall WAN address
(ipfilter syntax sort of)
pass in quick on WAN proto TCP from any port = any to 20.20.20.2 port = 
80 keep state

Second rule - allows the NATted traffic to enter the DMZ address
pass in quick on DMZ proto TCP from 20.20.20.2 port = any  to 
192.168.0.50 port = 80 keep state

Does this look right?

Thanks!

Paul Phillips