Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Jul 1999 15:33:34 +0100
From:      Brian Somers <brian@FreeBSD.org.uk>
To:        Dan Simoes <dans@deva.iclick.com>
Cc:        brian@FreeBSD.org.uk (Brian Somers), dans@iclick.com (Dan Simoes), freebsd-questions@FreeBSD.ORG (freebsd-questions@FreeBSD.ORG)
Subject:   Re: setting up redirects with natd/firewall 
Message-ID:  <199907281433.PAA03148@keep.lan.Awfulhak.org>
In-Reply-To: Your message of "Wed, 28 Jul 1999 08:33:23 EDT." <199907281233.IAA02865@deva.iclick.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > Natd should be run on the interface with address A.B.C.D.  It does 
> > the redirect_port on the primary address by default.  If you have 
> > more than one web server, you'll need to run natd on a multi-homed 
> > interface and do something like
> > 
> >   redirect_port tcp 192.168.100.A:80 A.B.C.D:80
> >   redirect_port tcp 192.168.100.B:80 E.F.G.H:80
> > 
> > where A.B.C.D and E.F.G.H are your external addresses.
> 
> I think the letters are getting confusing.
> 
> Say I have two web servers with addresses of 199.1.1.1 and 199.1.1.2
> which are in DNS as web1 and web2.
> 
> I want to place them behind the firewall, so I readdress them as
> 192.168.100.1 and 192.168.100.2, private side addresses.
> 
> On the outside, DNS still lists web1 and web2 with public side addresses.
> I want to direct queries through the firewall for those hosts,
> but I need to either change DNS so web1 and web2 point to the firewall's
> public side interface, or run multiple interfaces (virtual IPs?)
> on the firewall so those IPs are publicly visible.

Yep, you'll need to

  ifconfig fxp0 inet 199.1.1.1 netmask whatever
  ifconfig fxp0 inet 199.1.1.2 netmask 0xffffffff alias

assuming you've got an fxp NIC, and then

  redirect_port tcp 192.168.100.1:80 199.1.1.1:80
  redirect_port tcp 192.168.100.2:80 199.1.1.2:80

in your natd config.  Of course the rest of the world will have to 
know how to get to 199.1.1.[12].

> I don't think redirect_port will do this, correct?

Not the whole thing :-)

> -- 
> Dan Simoes                              mail:dans@iclick.com
> iClick					web:www.iclick.com	
> 410 Saw Mill River Road LL 135		voice: 914.693.0837
> Ardsley, NY 10502                      	fax:914.693.1055
> 

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>;                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907281433.PAA03148>