From owner-freebsd-questions  Mon Oct  1 17:55:18 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 74C2637B40E
	for <freebsd-questions@FreeBSD.ORG>; Mon,  1 Oct 2001 17:55:15 -0700 (PDT)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f920t9K02782;
	Mon, 1 Oct 2001 19:55:10 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 1 Oct 2001 19:55:09 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Bryce Newall <data@dreamhaven.org>
Cc: FreeBSD Questions List <freebsd-questions@FreeBSD.ORG>
Subject: Re: Natd/ipfw/redirect issue
In-Reply-To: <Pine.BSF.4.33.0110011217320.580-100000@ds9.dreamhaven.org>
Message-ID: <Pine.BSF.4.21.0110011937450.2678-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 1 Oct 2001, Bryce Newall wrote:

> On Fri, 28 Sep 2001, Nick Rogness wrote:
> 
>>> ipfw rule would allow both internal machines to reach the mail
>>> server properly, *and* allow external machines to reach it.  With
>>> just the ipfw rule in place, no machines could reach it at all.  
>>> Using natd, external machines could reach it, but not internal
>>> ones.

>>
>> 	NO! You want to use the redirect_port option to natd NOT IPFW
>> 	FWD!!!  man natd

> Hey, no need to shout at me... :)  I tried both ways, and obviously
> using just ipfw didn't work at all, so natd is what I'm using.  
> However, it's a solution to the *internal* problem that I'm looking
> for, be it using ipfw or something else.
> 

	This question gets asked at least 100
	times a month and the answer could be found by searching the mail
	archives at www.freebsd.org.

	Anyway,  back to your question.  The proper way to handle the
	internal requests is to have your internal DNS server resolve your
	mail server IP to an internal IP.  You should not have nat doing
	the work for handling the request.  The internal packet should
	never traverse the outside interface, which triggers the
	ipfw divert, sending the packet to natd.  That is why the internal
	requests do not work.
	
	If running an internal DNS server is out of the question, run a
	second copy of natd on the internal interface to redirect to the
	mail server.  This is a bad solution, but it will work.

Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message