Date: Thu, 10 Oct 2002 15:56:06 -0700 From: Marc Hunter <hunter@hunter.net> To: Nick Rogness <nick@rogness.net>, "Jack L. Stone" <jackstone@sage-one.net> Cc: wolf <mjoyner2@hq.dyns.cx>, <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw and natd during internal to internal access ... Message-ID: <4.2.0.58.20021010153730.00d34270@192.168.0.64> In-Reply-To: <20021010161251.J2374-100000@skywalker.rogness.net> References: <3.0.5.32.20021010170043.012cd790@mail.sage-one.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you all for your responses so far. We tried the divert option and it almost worked :> We can see that the packet got natted but the request still times out. From what I can gather what is happening is that machine A (user) sent the packet to machine B (firewall) which sent the packet to machine C (internal web server) which responded with a packet to machine A, however machine A was expecting its answer from machine B. (Assuming a tcp connection request must receive the response from the machine it was sent to...) What is curious is that the nat converted the 'to' address correctly, but didn't change the from address to the firewall address as it does with outside traffic, so we could be missing something. Our additional divert looks as follows: divert natd log tcp from 192.168.0.0/24 to 24.70.100.100 80 in via rl1 our natd.conf says: redirect_port tcp 192.168.0.129:80 80 (and the interface is set to rl0 which is the outside world). > 1) Use another domain (point to inside) > 2) Setup subdomain www.internal.domain.com It actually is a subdomain which we are using, but neither of these options is feasible as we need to have our website links the same whether a page is accessed internally or externally... > 3) Setup nameserver to respond differently depending on source IP I suppose if there is no other way we will have to consider this, but we hadn't counted on having to do this :< > 4) Run a proxy server This whole project is to get rid of our Wingate proxy, a hardware firewall and a linux firewall, so we were hoping to avoid this (thus the use of nat). Someone suggested using the ipfw fwd command, which we will try, but I suspect it will present the same problem as the divert above... Here are some questions which may reveal our ignorance: Can you 'attach' natd to both the internal and external interfaces? Perhaps have two copies running and the one on the internal interface would only get triggered by the divert rule we added above? I suppose it would have to run on a different port in any case... Would ipf and ipnat have a solution to this problem or are they roughly the same thing, different syntax (insofar as basic firewall/nat needs go)? Thanks! Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20021010153730.00d34270>