Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 May 2002 21:43:11 +0200
From:      Neil Blakey-Milner <nbm@mithrandr.moria.org>
To:        Miroslav Pendev <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com>
Cc:        Aragon Gouveia <aragon@phat.za.net>, freebsd-security@freebsd.org
Subject:   Re: ipfw + nat + port_redirect - works, but not for the internal net
Message-ID:  <20020514194311.GA89260@mithrandr.moria.org>
In-Reply-To: <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung>
References:  <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <005501c1fb70$bb32ebb0$01000001@aragon> <042e01c1fb75$048699c0$c801a8c0@vsivyoung> <001101c1fb79$de1aafb0$01000001@aragon> <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue 2002-05-14 (15:26), Miroslav Pendev wrote:
> Hi Aragon, thanks for the info
> I will take a look at data(and sock)pipe.
> 
> > Personally, what I'd do is simply connect directly to 192.168.1.100 instead
> > of trying to go via your freebsd gateway.
> 
> Yes, the direct access to 192.168.1.100:80 is Ok!
> But here is what I have:
> 
> Web server in *Internet* is serving web pages with some forms and then
> the data is sent to the internal (behind the firewall) 
> apache + php server.
> Everithing work just perfect for the clients 
> (hosts from internet) but it doesnt work for the people
> in the internal network. I do not want to make a miror
> site only because I dont know (for now) how to get this
> working.
> 
> Thanks anyway!

Basically, I think you just need to make sure you NAT the traffic
arriving on the internal interface.

For example, if you have:

add 7000 divert natd ip from any to any via ${extif}

You probably need:

add 7000 divert natd ip from any to any via ${extif}
add 7005 divert natd ip from any to any via ${intif}

I could be entirely wrong, but this works for me in about 12
installations.

Just make sure you're using 'unregistered_only', or some things get a
bit confusing - "double NAT" causing all traffic to end up being from
the alias address, not the specific redirect_address.

Neil
-- 
Neil Blakey-Milner
nbm@mithrandr.moria.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020514194311.GA89260>