firewall behind a firewall

firewall behind a firewall

Post by Bruce » Tue, 27 Feb 2001 14:42:23



Hi,

I've set up a FreeBSD firewall behind a Linux firewall.
No special reason, just screwing around.

The Linux firewall has 3 nics
10.0.0.4 to Internet
172.16.1.4 Gateway for the LAN
192.168.1.102 to Web server

The FreeBSD firewall also has 3 nics
172.16.1.200 to LAN ( and Internet, 172.16.1.4 is the gateway )
10.0.0.200
192.168.1.200

So if I hook up a PC to the 10.0.0.200 nic on the FreeBSD box, I can ping
any 172.16.1.xxx addresses and I can access the internet. I can't ping the
192.168.1.102 web server though.
Just wondering if there would be some way to ping this.

Thanks,
Bruce

 
 
 

firewall behind a firewall

Post by Michael A. Dickerso » Tue, 27 Feb 2001 17:09:03


Quote:> I've set up a FreeBSD firewall behind a Linux firewall.
> No special reason, just screwing around.

> The Linux firewall has 3 nics
> 10.0.0.4 to Internet
> 172.16.1.4 Gateway for the LAN
> 192.168.1.102 to Web server

> The FreeBSD firewall also has 3 nics
> 172.16.1.200 to LAN ( and Internet, 172.16.1.4 is the gateway )
> 10.0.0.200
> 192.168.1.200

> So if I hook up a PC to the 10.0.0.200 nic on the FreeBSD box, I can ping
> any 172.16.1.xxx addresses and I can access the internet. I can't ping the
> 192.168.1.102 web server though.
> Just wondering if there would be some way to ping this.

There's no way to figure this out without knowing the netmasks on each of
those NICs and possibly the routing tables too.  Try 'ifconfig -a'.  Also
double check that everything is as you say; 10.0.0.4 cannot be an Internet
address.

M.D.

 
 
 

firewall behind a firewall

Post by Bruce » Wed, 28 Feb 2001 11:13:35


Quote:>10.0.0.4 cannot be an Internet
> address.

> M.D.

There is also a DSL router, it is 10.0.0.1 and the Linux box nic 10.0.0.4
connects to it. Everything is as I say. I just don't say everything.
 
 
 

firewall behind a firewall

Post by Bruce » Wed, 28 Feb 2001 11:38:59


Vic,
Quote:

> Give us 'netstat -rn' output.  Seems like a route problem.

This comes from the OpenBSD box
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu
Interface
default            172.16.1.4         UGS         1     1015   1500  fxp0
10.0.0/24          link#1             UC          0        0   1500  xl0
10.0.0.201         0:4:ac:26:d4:ff    UHL         1       74   1500  xl0
127/8              127.0.0.1          UGRS        0        0  32972  lo0
127.0.0.1          127.0.0.1          UH          3      363  32972  lo0
172.16.1/24        link#2             UC          0        0   1500  fxp0
172.16.1.4         link#2             UHL         1        0   1500  fxp0
172.16.1.103       0:40:f6:b8:49:2a   UHL         1       25   1500  fxp0
192.168.1/24       link#3             UC          0        0   1500  fxp1
224/4              127.0.0.1          URS         0        0  32972  lo0

Internet6:
Destination                        Gateway                        Flags
Refs     Use    Mtu  Interface
::/104                             ::1                            UGRS
0        0  32972  lo0 =>
::/96                              ::1                            UGRS
0        0  32972  lo0
::1                                ::1                            UH
12        0  32972  lo0
::127.0.0.0/104                    ::1                            UGRS
0        0  32972  lo0
::224.0.0.0/100                    ::1                            UGRS
0        0  32972  lo0
::255.0.0.0/104                    ::1                            UGRS
0        0  32972  lo0
::ffff:0.0.0.0/96                  ::1                            UGRS
0        0  32972  lo0
2002::/24                          ::1                            UGRS
0        0  32972  lo0
2002:7f00::/24                     ::1                            UGRS
0        0  32972  lo0
2002:e000::/20                     ::1                            UGRS
0        0  32972  lo0
2002:ff00::/24                     ::1                            UGRS
0        0  32972  lo0
fe80::/10                          ::1                            UGRS
0        0  32972  lo0
fe80::%xl0/64                      link#1                         UC
0        0   1500  xl0
fe80::%fxp0/64                     link#2                         UC
0        0   1500  fxp0
fe80::%fxp1/64                     link#3                         UC
0        0   1500  fxp1
fe80::%lo0/64                      fe80::1%lo0                    U
0        0  32972  lo0
fec0::/10                          ::1                            UGRS
0        0  32972  lo0
ff01::/32                          ::1                            U
0        0  32972  lo0
ff02::%xl0/32                      link#1                         UC
0        0   1500  xl0
ff02::%fxp0/32                     link#2                         UC
0        0   1500  fxp0
ff02::%fxp1/32                     link#3                         UC
0        0   1500  fxp1
ff02::%lo0/32                      fe80::1%lo0                    UC
0        0  32972  lo0

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)

This one comes from the Linux box:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0
eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
eth2
172.16.1.0      0.0.0.0         255.255.255.0   U         0 0          0
eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0
eth0

Thanks for taking a look

 
 
 

1. FreeBSD and natd - routing from behind firewall to behind firewall.

Having a strange problem with a FreeBSD gateway/firewall system I set up.  
The gateway connects a small network to an ADSL line and has three static
external IP addresses.  I am using natd to provide access to the Internet
for computers in the internal LAN.

One of the machines behind the firewall is a web server and I use a natd
line similar to the following to route incoming connections to that box:

redirect_address 192.168.1.100 xxx.xxx.xxx.1

In this case the real IP of the web server is 192.168.1.100 and it is
accessed from outside the LAN by the address xxx.xxx.xxx.1.  This works.

The problem is that if any of the computers on the internal LAN try to
access the web server at xxx.xxx.xxx.1 it doesn't work.  I can access the
web server fine from inside the LAN using the local address (192.168.1.100).

I suspect there is a simple solution to this problem.  Can anyone explain
what it is?  

Thanks,
Don

2. Weird log entries...

3. FTP server behind linux firewall communicating w/ FTP behind linux firewall

4. 2.4.4 Oops in ext2 and strange /proc/ksyms

5. ping from behind firewall, but not on firewall

6. Video Cards compatible with Alpha 164LX

7. IPChains firewall behind firewall problem

8. Monitor utility CPU% column

9. Fech behind a authenticated firewall (http firewall)

10. FTP server behind on firewall FTP client behind another

11. FTP not working behind MASQ firewall

12. CVS access from behind firewall ???

13. Identd behind Firewall