Date: Fri, 10 Jan 2003 19:35:09 -0800 (PST) From: jdroflet@canada.com To: freebsd-questions@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd ip redirect confuses Java server behind the firewall. Message-ID: <20030110193511.10104.h012.c009.wm@mail.canada.com.criticalpath.net>
next in thread | raw e-mail | index | archive | help
snip
>> loads the web pages fine then attempts to run one of the java
> > reports.
> > TO: 10.150.0.24
> > from: w.x.y.z
> >
> > The server was then doing it's reflux thing which tried to get further
> > java/url stuff from whatever server the client initiated
> > To: a.b.c.d
> > from: 10.150.0.24 <= Java box attempts to 'reach' it's public IP.
>
> "reach its public ip"? 10.150.0.24 is the *private* ip, isn't it?
Yes, the 10. private address of the java box sends packets to the address is his
alias on public side. The java box should never try to do this, in my mind (very
little of it left now:) java should not even know what it's public address is
unless Natd is not working properly and if that were the case I'd think to have
found something about such a problem during my day of searching the net. The
statement about the 'reflux' above was made by the java support person, and I
think he's saying that it is the client providing the IP address to the java box
in it's call for the report, and java box is too dumb (read config file problem
?) to know it should be asking itself.
>
> > At this point the client gets an error 'Form not found'
>
> what packets does the *client* see? IOW, what goes *out* from the
> outside interface? the packet headers are obviously translated fine,
> but maybe the server sends it its IP in the data?
The firewall won't send those packets on because its set to stop spoofing on the
inside interface. "add deny all from ${onet}:${omask} to any in via ${iif}"
>
> > So, is this really a NATD problem or could it actually be a problem in one of
> > the Java server configs ?
>
> i would think so.
>
> > And if so where do I look, I'm neither an Apache tomcat or java
> > expert.
>
> doesn't look like an apache problem. either tomcat or the java app.
I don't know much about either and Mr. Java support guy says it's my NAT on the
firewall. If anyone knows which file I should look in first I'd really
appreciate it.
>
> --
> If you cc me or remove the list(s) completely I'll most likely ignore
> your message. see
<ahref="http://mail.canada.com/jump/http://www.eyrie.org./~eagle/faqs/questions.html">http://www.eyrie.org./~eagle/faqs/questions.html</a>;
__________________________________________________________
Get your FREE personalized e-mail at http://www.canada.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030110193511.10104.h012.c009.wm>