Re: multiple external ips on external interface
This is a discussion on Re: multiple external ips on external interface within the IPFilter forums, part of the System Security and Security Related category; jeet, we can help you but unfortunately not with the sparse configuration information you have provided. please follow these instructions --&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-15-2004
|
|||
|
|||
Re: multiple external ips on external interface
jeet, we can help you but unfortunately not with the sparse configuration information you have provided. please follow these instructions --> http://www.phildev.net/ipf/IPFmail.html#3 also, i'm beginning to believe that you want your sparc to answer requests for several|many IPs??? is this the case and what are you trying to do with such a configuration? this fact may not have been clear to me when i responded initially. jim Jeet wrote: > Jim, > Thanks a lot for your reply. > Right now I have enabled ip_forwarding and first > trying to get the ipnat working My ipf.conf is empty > and default is to pass all. > > my external interface qfe0 connects to a cisco > 3548 switch and the switch goes to a router. > qfe0 is 10.10.10.1 > if I try a ipnat map with qfe0 it works fine. > However if I try a map with the second ip 10.10.10.2 > I can see that the ipnat has translated the ip but > there is no response back. > Same is the problem with rdr, there is no response. > Then I thought maybe I have to do a proxy arp for the > second ip so that the switch and the router would know > that packets for 10.10.10.2 should go to qfe0 so I did > a > arp -s 10.10.10.2 <mac-address qfe0> > however that did not work too. > > Any ideas would surely help. > > -Jeet > > > > --- Jim Sandoz <sandoz@lucent.com> wrote: > > >>jeet, >> >>ipfilter consists of two subsystems, "ipf" and >>"ipnat". >> >>ipf's task is to filter packets by using criteria >>which >>you define in /etc/opt/ipf/ipf.conf. >> >>ipnat's task is to rewrite packets using criteria >>which >>you define in /etc/opt/ipf/ipnat.conf >> >>you can use ipf and ipnat individually (by leaving >>the >>config file nulled you effectively disable that >>function), >>or you can use them in tandem. most folks use both. >>there are some interactions between the two which i >>will >>note in a moment. >> >>you will be interested in using ipnat to rewrite the >>IP >>addresses of specific packets coming into your >>exterenal >>interface. this will cause some packets to be >>routed by >>your sparc into the private address space behind it. >> >>keep in mind that you need kernel routing enabled to >>do >>this. if you sparc has two interfaces configured at >>boot >>time it should do this automatically; otherwise you >>can >>force it to do kernel routing via >># /usr/sbin/ndd -set /dev/ip ip_forwarding 1 >> >>but the direct answer to your question is "no", you >>don't >>configure any additional IP addresses on your >>external >>interface. however, you do need to add some rules >>to >>ipnat's config file to rewrite specific address/port >>pairs; one such example would be >>rdr qfe0 10.10.10.1/32 port 80 -> 172.16.1.2 port >>8080 tcp >>this says >>"any packets arriving on interface qfe0 with the >>destination >>of 10.10.10.1:80 should be rewritten to have a >>destination >>address of 172.16.1.2:8080, then given to ipf for >>filtering, >>and if not blocked by ipf subsequently passed to the >>kernel >>for routing" >> >>substitute your "external" interface (hme1?) for the >>qfe0 >>above. >> >>the above statement implies that ipf is configured >>to accept >>(i.e. "pass") packets that have a destination >>address of >>172.16.1.2:8080 -- this little tidbit causes trouble >>for >>everyone. keep this in mind when writing ipf rules; >>ipf >>has to deal with packets AFTER ipnat has rewritten >>them. >> >>you may be asking, "what happens to the reply packet >>coming >>back out of the network from 172.16.1.2:8080"? >>well, ipnat >>keeps a table of its translations, just like ipf >>keeps a >>table of its states. hence, on the return journey, >>ipnat >>rewrites the IP address back to the original. as >>far as the >>remote machine is concerned, it is talking to your >>sparc and >>has no knowledge that your sparc is actually >>frontending the >>real physical webserver. >> >>you will want to read >>http://www.phildev.net/ipf/ >>and >>http://www.obfuscation.org/ipf/ >> >>also see >> > > http://marc.theaimsgroup.com/?l=ipfi...9861622589&w=2 > >>and >> > > http://marc.theaimsgroup.com/?l=ipfi...8074705794&w=2 > >>and >> > > http://marc.theaimsgroup.com/?l=ipfi...1495100723&w=2 > >>jim >> >> >> >>Jeet wrote: >> >>>Hi Everyone, >>>I have started using ipfilters on solaris 9 sparc >>>Ultra 10. >>> >>>However I have a small newbie question the >> >>external >> >>>interface is >>> >>>e.g 10.10.10.1 internal 172.16.1.1 >>> >>> >>>In order to set up something like this >>> >>>10.10.10.2:80 - 172.16.1.2:8080 >>>10.10.10.3:80 - 172.16.1.3:8080 >>> >>> >>>Do I have to configure the external interfaces >> >>with >> >>>the external ip's or there is some way to get it >>>working without that. >>> >>> Thanks a lot. >>> -Jeet >> >> > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail Address AutoComplete - You start. We finish. > http://promotions.yahoo.com/new_mail 
|
Linear Mode
