Date: Fri, 28 Sep 2001 19:55:14 -0700 (PDT) From: Bryce Newall <data@dreamhaven.org> To: FreeBSD Questions List <freebsd-questions@freebsd.org> Subject: Natd/ipfw/redirect issue Message-ID: <Pine.BSF.4.33.0109281948380.580-100000@ds9.dreamhaven.org>
next in thread | raw e-mail | index | archive | help
Greetings, I've just completed the setup (more or less) of a FreeBSD firewall system. Previously, my NT-based mail server was visible to the world. I have taken the external IP address off of the NT server and ifconfig'd it onto the FreeBSD machine, and am using NAT (redirect_port) to redirect incoming mail to the NT machine. From the outside, everything is fine. However, on the internal LAN, I'm running into a problem. The name of my mail server exists in DNS, so although I have set up a static WINS mapping for the mail server to resolve to the internal 192.168 IP address, the clients are using DNS rather than WINS to resolve the hostname, so they are getting the external IP address of the mail server. Since the traffic is originating from inside the firewall rather than from outside, NAT will not redirect requests to the mail server, so clients cannot reach the mail server from the inside. (I have temporarily solved this by pushing a hosts files over to the clients, but this is not a good solution in my opinion.) I've tried adding ipfw rules, but to no avail. The rule I added was: ipfw add fwd 192.168.1.201,25 tcp from any to <external.ip.address> 25 I'm assuming I have the syntax correct, i.e. "forward anything destined for <external.ip.address> on port 25 to 192.168.1.201 on port 25". I even tried adding "via xl1" (xl1 = the internal interface on the FreeBSD firewall), but still no luck. I had hoped that such an ipfw rule would allow both internal machines to reach the mail server properly, *and* allow external machines to reach it. With just the ipfw rule in place, no machines could reach it at all. Using natd, external machines could reach it, but not internal ones. Any suggestions would be greatly appreciated! Including, even, if anyone knows how to make a Windows NT/2000 client look for an answer from WINS *before* going to DNS.... Thanks in advance! ********************************************************* * Bryce Newall * Email: data@dreamhaven.org * * www.dreamhaven.org/~data * * "Computers make very fast, very accurate mistakes." * ********************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0109281948380.580-100000>