Date: Fri, 12 Apr 2002 08:33:36 +0000 (GMT) From: "Forrest W. Christian" <forrestc@imach.com> To: Tom Wiebe <twiebe@mac.com> Cc: isp@FreeBSD.ORG Subject: Re: Bind and FTP Behind NAT?? Message-ID: <20020412082256.F25394-100000@workhorse.imach.com> In-Reply-To: <D67047B8-4DE7-11D6-8BFA-0030658FC1FC@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Apr 2002, Tom Wiebe wrote: > I tried the archives and they seem to be down at the moment. I'm just > patiently awaiting the installation of my SDSL connection and learned > today that the preferred setup with my provider is to use NAT at the > router. In other words, my servers will be located on a local network such > as 192.168.x.x but will have different public IP addresses. > > I'll be needing to run FTP and DNS service on these machines for the dozen > or so domains that we host and it just occured to me that this might > require some additional configuration for these services. > > Can't seem to find any specifics at the moment, any pointers, tips, etc. > you might be able to provide me with would be most appreciated. There are two ways that they can do the translation. One is a 1:1 relationship between outside and inside addresses for the servers (i.e. all ports/prototcols are translated inside). The second is "port and network address translation" which is where they punch specific ports to specific servers. I.E. Port 80 on a specific outside address ends up going to a specific inside address port, and say port 53(dns) on the same outside address can go to a completely different port. Either way, there isn't anything special to do on your servers. The caution is that you can only have one inside service running per port per outside address. I.E. if you have 3 "real" ip's you can't have 4 web servers on port 80 running on four different internal addresses. One DNS caveat: In a lot of cases, nat devices like to try to intelligently rewrite dns packets. A better description would be "stupidly rewrite dns packets". A case in point would be the Cisco 675 which tries to rewrite any dns address response to some reasonable address, which is almost always wrong. If you are having problems with dns being mangled, suspect the nat box. > While we're on the topic, is it time to think about moving up to Bind 9.x > yet, or should I still stick with 8.3.x? I'm running bind9 on ns01.backupdns.com and it seems to be working fine. There are some differences, but mostly related to some security cleanup and changes caused by different ways of doing things as a result. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020412082256.F25394-100000>