From owner-freebsd-questions@FreeBSD.ORG Tue Dec 30 20:13:35 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC3DD16A4CE for ; Tue, 30 Dec 2003 20:13:35 -0800 (PST) Received: from ybbsmtp04.mail.yahoo.co.jp (ybbsmtp04.mail.yahoo.co.jp [210.81.151.172]) by mx1.FreeBSD.org (Postfix) with SMTP id 5F60143D3F for ; Tue, 30 Dec 2003 20:13:33 -0800 (PST) (envelope-from ayakokiko@ybb.ne.jp) Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime) by ybbsmtp04.mail.yahoo.co.jp with SMTP; 31 Dec 2003 04:13:32 -0000 X-Apparently-From: Received: from ghost.near.this (ghost.near.this [10.0.3.9]) by gorgon.near.this (Postfix) with ESMTP id 164D07F81; Wed, 31 Dec 2003 13:13:27 +0900 (JST) Received: by ghost.near.this (Postfix, from userid 100) id 060C319694; Wed, 31 Dec 2003 13:13:25 +0900 (JST) Date: Wed, 31 Dec 2003 13:13:20 +0900 From: horio shoichi To: Terry Singh In-Reply-To: <20031230003040.81915.qmail@web40707.mail.yahoo.com> References: <20031230003040.81915.qmail@web40707.mail.yahoo.com> X-Mailer: Sylpheed version 0.9.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20031231.041325.ffcbd3fce0f52dd7.10.0.3.9@bugsgrief.net> cc: freebsd-questions@freebsd.org Subject: Re: arp request problem with firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2003 04:13:36 -0000 On Mon, 29 Dec 2003 16:30:40 -0800 (PST) Terry Singh wrote: > this is my first post to freebsd questions. > > MY NETWORK > > Internet -- WAN_IF | FIREWALL - 5.1 RELASE | LAN_IF -- LAN network > > The WAN_IF has several public addresses as aliases. I have about 20 servers in > the LAN that require various services allowed to the public Internet. > > I basically am doing a "bimap" one to one mapping per server in the LAN. > This all works great, meaning I can surf etc etc from any LAN server to the > Internet and also, from the Internet I can get published services on LAN > servers. > > Here's the problem: > I already mentioned that each server with a 192.168.50.x address is "bimap"ed > to a public address. The problem is that if I am on any of the LAN servers, and > want to connect to the public address of a server in the LAN, I CANNOT. > Now first of, I could connect using private addresses and of course this works > like it should. But our applications have real DNS names coded in the apps so I > need this to work. > > I know it has something to be with proxy arp so I even tried placing this line > in sysctl.conf: net.link.ether.inet.proxyall=1.\ > no luck. > > ANY IDEAS? > > -------------- > Second problem > One of the LAN servers is a FTP server. From the Internet, I can only connect > using ACTIVE MODE even though I allow both 20/21/tcp inbound. Here's what > happens when passive mode is used: The initial connection is accepted, but then > the server sends its private address instead of its proper public address! Of > course it's not gonna work! So I forced active mode and voila! it worked. > What's the fix for this bugger? I now outbound FTP has some built-in proxy ftp > in freebsd but what about inbound? > > thanks, tsingh. > > > > > __________________________________ > Do you Yahoo!? > New Yahoo! Photos - easier uploading and sharing. > http://photos.yahoo.com/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > 1. The network configuration like yours is known not to work. The reason and workarounds are best detailed here. http://www.openbsd.org/faq/pf/rdr.html#reflect 2. The wu-ftp and proftp have the ability to advertize arbitrary address. There may be others, but I don't know. horio shoichi