From owner-freebsd-isp  Fri Mar 10  6:38:56 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from icebox.venux.net (icebox.venux.net [216.120.166.10])
	by hub.freebsd.org (Postfix) with ESMTP id C055437BA1D
	for <isp@freebsd.org>; Fri, 10 Mar 2000 06:38:52 -0800 (PST)
	(envelope-from matthew@venux.net)
Received: from servbox.venux.net (servbox.venux.net [10.0.0.10])
	by icebox.venux.net (Postfix) with ESMTP id EC4F826202
	for <isp@freebsd.org>; Tue,  7 Mar 2000 10:39:56 -0500 (EST)
Received: from son (son.venux.net [10.0.0.68])
	by servbox.venux.net (Postfix) with ESMTP id C2CBE2BD82
	for <isp@freebsd.org>; Tue,  7 Mar 2000 10:37:26 -0500 (EST)
Message-Id: <4.2.2.20000307101901.00a20200@mail.venux.net>
X-Sender: mhag2@mail.venux.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Tue, 07 Mar 2000 10:39:53 -0500
To: isp@freebsd.org
From: Matthew Hagerty <matthew@venux.net>
Subject: POP3 proxy possible?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Greetings,

I was wondering if there is a way to proxy a port, specifically pop3(110), 
to another computer.  Something like:

"If a connection comes in on my port 110, forward to ip:port"

What I have is a firewall setup like this:

Internet
     |
     |
+--------+                            +---------+
| router |                            | Bastion |
+--------+                            +---------+
     |          Perimeter Network           |
     +--------------------------------------+
     Real IP assignment  |
                         |
                   +-----------+
                   | Firewall  |
                   | NATd IPFW |
                   +-----------+
                         |
      +----------------------------------+
      |    Fake IP assignment 10.0.0.0/24
  +------+
  | pop3 |
  +------+

I need to enable external access of pop3 (I know, I know, but it is not my 
decision).

The first problem is that an external pop3 client cannot route to a fake 
IP, so they have to pop3 to a real host, i.e. the bastion.  The bastion 
would then forward the request to the firewall machine which knows how to 
route to the internal server.  The bastion host also has a static route so 
it knows that 10.0.0.0/24 should be routed to the firewall.

The second problem is that the firewall will only accept packets from the 
bastion host, so external pop3 clients cannot connect directly to the 
firewall machine to have the pop3 request forwarded.

What I though I needed was a simple "port pass-though" program of some 
sort.  I thought NATd could do this with the -reverse, -proxy_only, and 
-proxy_rule parameters, but I could not get it to work.  I could not find 
any other docs or examples on NATd other than the man page, is there any?

One other thing, can NATd be run without IPFIREWALL?  In this case I don't 
need a firewall, so can I leave the option out of my kernel and just use 
IPDIVERT?

Any insight would be greatly appreciated!

Thank you,
Matthew Hagerty



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message