From owner-freebsd-questions@FreeBSD.ORG Mon Aug 9 00:19:36 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41BF716A4CE for ; Mon, 9 Aug 2004 00:19:36 +0000 (GMT) Received: from smtp.volant.org (gate.volant.org [207.111.218.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B2C743D31 for ; Mon, 9 Aug 2004 00:19:32 +0000 (GMT) (envelope-from patl+freebsd@volant.org) Received: from 64-144-229-193.client.dsl.net ([64.144.229.193] helo=[192.168.0.22]) by smtp.volant.org with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34 (FreeBSD)) id 1Btxsn-0002VX-FE; Sun, 08 Aug 2004 17:19:25 -0700 Date: Sun, 08 Aug 2004 17:19:16 -0700 From: Pat Lashley To: mailist@whoweb.com, freebsd-questions@freebsd.org Message-ID: <29C1396540CA28B1C9E7B822@vanvoght.phoenix.volant.org> In-Reply-To: <200408081843.21513.mailist@whoweb.com> References: <200408081843.21513.mailist@whoweb.com> X-Mailer: Mulberry/3.1.6 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scan-Signature: 0686c0ab1488e41ec5676dfee034f88f2b6393ee X-Spam-User: nobody X-Spam-Score: -4.9 (----) X-Spam-Score-Int: -48 X-Spam-Report: This mail has matched the spam-filter tests listed below. See http://spamassassin.org/tag/ for details about the specific tests reported. In general, the higher the number of total points, the more likely that it actually is spam. (The 'required' number of points listed below is the arbitrary number above which the message is normally considered spam.) Content analysis details: (-4.9 points total, 5.0 required) -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.0 AWL AWL: Auto-whitelist adjustment Subject: Re: IPFW/NATD Transparent Proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 00:19:36 -0000 --On Sunday, August 08, 2004 18:43:21 -0400 mailist@whoweb.com wrote: > No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD > internet gateway. Again, the configuration is > de0 = PUBLIC IP = 1.2.3.4 > de1 = 192.168.1.1 > de2 = 192.168.2.1 > > I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet > being redirected to 192.168.2.250. That works fine. But I want someone on > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the > public address 1.2.3.4:80. > > Put another way, I have a FreeBSD server acting as a Router/Firewall. It has > a public interface with an IP number of 1.2.3.4 and is assigned the DNS name > www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a > private address space of 192.168.1.0/255.255.255.0 and a third NIC that > supports a private address space of 192.168.2.0/255.255.255.0 > > When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com > they get redirected to 192.168.2.250 because I've included a redirect_port > rule for NATD. This works fine. But, users on all private networks (I have > two, but there could be 20) also need to be redirected to 192.168.2.250 when > they try to go to www.ishouldhaveusedipfilter.com So the user sitting at > 192.168.1.247 shouldn't have to worry about putting in the IP number of the > company web server, they should just be able to put in the company domain > name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 > just like anyone coming from the outside. It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4. Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range. With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly. -Pat