From owner-freebsd-questions Tue Nov 20 17:51:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id E60E237B418 for ; Tue, 20 Nov 2001 17:51:23 -0800 (PST) Received: from kgifford (www.fmei.com [65.100.240.153]) by ns1.infowest.com (Postfix) with ESMTP id DD75E20FCA for ; Tue, 20 Nov 2001 18:51:22 -0700 (MST) Reply-To: From: "Kendall Gifford" To: Subject: An ipfw/nat port forwarding issue Date: Tue, 20 Nov 2001 18:51:22 -0700 Message-ID: <000a01c1722f$060cb510$f801a8c0@fmepro.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have a little problem in getting NAT port forwarding to work in the following situation. Situation: We have a DSL connection to which a FreeBSD 4.4-Stable box is connected called foobar. Foobar is the LAN's NAT-firewall. Our web server is inside our LAN and all requests are naturally forwarded by natd. The problem is when LAN clients try to access our web server via foobar. Now, normally they are not supposed to as the LAN's primary DNS server (not foobar) returns the local address for the www server. But, sometimes the clients, I assume due to very short time-outs, insist on reverting to secondary DNS (foobar) which gives them foobar's public IP. So, when they try to visit the web site, it doesn't work. This is what my request for more information is: Why doesn't this work? What goes on "inside" foobar when it receives such a request? Just to give you more information about the situation, this situation occurs with my ipfw rules wide open (I merely divert to natd then allow all). Also, here are my uneducated guesses for the sake of letting you know I have been working on understanding this: LAN requests for the external interface come in via the internal interface, pass through ipfw without any natd intervention, and are then foobar try's to service the www port 80 request (because it didn't get forwarded as natd runs on the external interface). Since foobar isn't serving up a www dinner, the client must starve. Am I close? Any suggestions? Any help or general information is much appreciated. ____________ Kendall Gifford kendall@jedis.com http://kendall.jedis.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message