Date: Fri, 22 Sep 2000 08:40:22 -0700 (PDT) From: Steve Lewis <nepolon@systray.com> To: cjclark@alum.mit.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: internal to internal via natd extenal redirect_port Message-ID: <Pine.BSF.4.05.10009220743200.1849-100000@greg.ad9.com> In-Reply-To: <20000920004020.V367@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 Sep 2000, Crist J . Clark wrote: > On Wed, Sep 20, 2000 at 02:37:42AM -0400, Kanji T Bates wrote: > > I'm having great difficulty trying to get any of my internal machines to > > talk to services handled via a natd redirect_port even though boxes coming > > at me from my external interface have no problems whatsoever. > This is a known "problem." I hesitate to call it such because > everything is working as it should. > > When you send a packet to 192.168.0.1, it arives on the internal > interface and runs through the rules. It likely is accepted at some > rule. Now, the packet is accepted by the machine... We're done. There > is no reason for the packet to be routed out of the external interface > since it was destined for this machine. Since it never goes through > the firewall rules while being processed on the exernal interface, it > never is accepted by the divert rule. OK, I think this is what I have been wrestling with for the last four weeks, on and off, but I didn't know it. [IP address and host/domain name changed below to protect the innocent and the guilty] I need to have WWW service on 'webserver.hostname.org' point to a development server sitting behind the firewall from anywhere on the planet (for demos and such). Currently it looks like it works from anywhere on the Internet, but it doesn't work from the LAN. 'webserver.domname.org' resolves to 123.123.123.80 by DNS. 'webserver' sits at 192.168.0.7 on the LAN. we can punch in 192.168.0.7:80 on the LAN and reach the dev server, and we can punch in 'webserver.domname.org' or 123.123.123.80 externaly and reach the dev server, but we cannot reach the dev server with either of those internally. I am running a DNS Cache from 192.168.0.2 as the Primary DNS server for machines in the LAN, and I *could* add a primary record for 'domname.org' to that internal DNS server, but I would really like to know what the options are, and the side effects for it, before I decide to munge DNS _OR_ before I decide to run another NATD on the dc1 interface. If I understand correctly (without looking up any man pages, because I'm a slacker), I would just run the second NATD as follows: 'natd -i dc1 -redirect_address 192.168.0.7 123.123.123.80' and this means we don't have to worry about keeping the hacked DNS record synched with the real DNS record (a significant issue for other reasons). Can someone please comment, either privately or on the list. --Steve ---rc.conf--- # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. ## general configuration ## saver="logo" local_startup="/usr/local/etc/rc.d" local_periodic="/usr/local/etc/periodic" update_motd="NO" inetd_enable="NO" sendmail_enable="NO" sendmail_flags="-q30m" portmap_enable="NO" tcp_dropsynfin="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" ## configure firewall ## firewall_enable="YES" firewall_type="open" ## configure NAT ## natd_enable="YES" natd_interface="dc0" natd_flags="-f /etc/natd.conf" ## configure network ## network_interfaces="dc0 dc1 lo0" ifconfig_dc0="inet 123.123.123.123 netmask 255.255.255.0" ifconfig_dc0_alias0="inet 123.123.123.250 netmask 255.255.255.255" ifconfig_dc1="inet 192.168.0.1 netmask 255.255.255.0" defaultrouter="123.123.123.254" hostname="firewall.domname.org" gateway_enable="YES" ---natd.conf--- same_ports yes use_sockets yes redirect_address 192.168.0.7 123.123.123.80 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10009220743200.1849-100000>