Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Jul 1998 14:22:35 -0700 (PDT)
From:      Doug White <>
To:        Mike Grommet <>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Firewall issues... HELP PLS
Message-ID:  <>
In-Reply-To: <000101bdbb3e$6a8e0260$>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Wed, 29 Jul 1998, Mike Grommet wrote:

> Well they say a picture is worth a thousand words, so here is a small (16k)
> gif attached to this message displaying the planned topology... I have a few
> questions and I'm not sure how this will work and this message will make
> much more sense with the diagram :)

I generally object to attachments in mailing lists but this makes it soo
much easier. :)

> I am the primary DNS authority for this particular client... and they
> want a mail server on site running microsoft exchange.  They want to
> run exchange on their primary NT server, which we need to have behind
> the firewall.
> I have no problems setting up dns for pointing the mail to a public ip
> number, this I've done on lots of occasions... I just assign their
> mail server a specified IP number in dns... the problem is that their
> mail server (aka primary NT server) needs to be private so I can't
> assign it a public internet IP number...

This looks like a classic case for ipfw/natd and some sendmail magic.

> The only thing I can think of is this:
> the bastion host must have an internet reachable ip number, and one that
> isnt internet reachable for the local network, both on two interface cards.
> What I think is that I can bind another internet ip number to the bastion
> host, the second one being the ip number specified in my dns for their mail
> server.  Then convince the firewall to pass all mail traffic coming in
> through this ip number to the mail port of the private nt machine... is this
> possible?  am I making sense here (its been a long day, so I wouldn't be
> suprised).

You're on the right track, and you can do this with ipfw/natd, but there
is another method that may be more secure from the NT server viewpoint.

How to do it:

1.  Setup FreeBSD with ipfw & natd on the bastion host.  Disable
    all non-essential services (everything except ssh).

2.  Variation #1:
    a. Disable sendmail on the bastion host.
    b. Configure natd to redirect port 25 to port 25 of the Windows
       (Tunnel port 25 through the firewall to the NT box.)

    Variation #2:
    a. Leave sendmail enabled on the bastion host.
    b. Build a new with mailertable support.
    c. Set up a mailertable entry to relay all inbound mail
       to the NT box. 

3.  Number the private network using non-Internet IPs as desired.

4.  Configure the DNS to point all mail services to the bastion host.

Commentary on variations:  #1 is easier to set up but exposes NT machine
to potential attack via Exchange.  Considering Microsoft's security track
record this isn't such a great idea.  #2 is harder to set up but protects
the internal network from any outside incursions since natd & ipfw will
eat any packets attempting to traverse the firewall without permission.
As a byproduct the entire private LAN has Internet access, just point your
default gateway/router at the firewall.

We'll have a similar set up running at my house in about a month when we
get the ADSL line installed.

Doug White                              | University of Oregon  
Internet:    | Residence Networking Assistant    | Computer Science Major

To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <>