Date: Tue, 24 Aug 1999 20:01:05 -0700 From: Ludwig Pummer <ludwigp@bigfoot.com> To: John Heyer <john@arnie.jfive.com> Cc: "freebsd-isp@FreeBSD.ORG" <freebsd-isp@FreeBSD.ORG> Subject: Re: Internal Servers / External IP Addresses (NAT) Message-ID: <37C35C71.937E609A@bigfoot.com> References: <Pine.BSF.3.96.990824171826.988A-100000@snake.supranet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
John Heyer wrote:
>
> I recently installed FreeBSD 3.2 on a machine running NAT and IPFW to act
> as a proxy server. In addition to internet access for the internal users
> via NAT, the company has also asked to put their mail and web servers on
> the internal network for security reasons, yet still have them accessable
> from the outside. I moved the servers internally and had the Proxy server
> take the old IP address, then re-drirected the necessary ports with NAT's
> -redirect_port parameter so that for example telnetting to port 25 of the
> proxy server's alias IP address gets a connection to the internal mail
> server.
>
> From the outside, this works great. The problem is it doesn't work from
> internal address. When they go to the outside (routable) alias being used
> by the proxy server, they don't get re-directed for some reason.
>
> I know the best solution might be to fool the clients into going directly
> to the internal address by DNS or hosts files, but unfortunately that
> would mean re-configuring 50 or so client machines. So I'm trying to do
> something at the server level - so far route statements and forwarding via
> ipfw, but with no luck. Any options to NAT I might be missing in order
> for the re-direction to work from the internal side?
I believe the issue here is which ipfw rules you are using to get the
packets sent to NAT. If you are using the standard rules packaged with
FreeBSD, then it's not enough. The standard rule requires that the
packets go through the natd_interface set by your rc.conf. In your case,
the packets are not going through that interface because the FreeBSD
natd gateway recognizes that those 'outside' addresses are its own and
doesn't bother passing them on to another interface.
All you should need to do is add an ipfw line to your rc.firewall saying
to "divert natd all from ${inet}:${imask} to ${old_outside_ip} 25" for
the SMTP server for example.
Note that I haven't actually tried this, but I do remember bringing this
up with the natd/natd manpage maintainers a few weeks/months ago and we
had a discussion about this kind of situation.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37C35C71.937E609A>