Date: Tue, 6 Jan 2004 14:16:40 -0800 (PST) From: Terry Singh <terrysingh@yahoo.com> To: horio shoichi <bugsgrief@bugsgrief.net> Cc: freebsd-questions@freebsd.org Subject: Re: arp request problem with firewall Message-ID: <20040106221640.80956.qmail@web40704.mail.yahoo.com> In-Reply-To: <20031231.041325.ffcbd3fce0f52dd7.10.0.3.9@bugsgrief.net>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks for the reply. i have not checked up on item 2 but the redirection problem has a solution outlined at http://www.openbsd.org/faq/pf/rdr.html#rdrnat which actually works. this method means for every redirected server that has a public address on the external interface on the firewall, i would need 2 sets of rdr rules: 1 for the mapping/redirecting from LAN to WAN interface and another for just the LAN interface itself (for everytime a LAN server asks for resources using the external address of another server in its LAN segment). i will post further on the ftp problem i am having, i hope. --- horio shoichi <bugsgrief@bugsgrief.net> wrote: > On Mon, 29 Dec 2003 16:30:40 -0800 (PST) > Terry Singh <terrysingh@yahoo.com> wrote: > > this is my first post to freebsd questions. > > > > MY NETWORK > > > > Internet -- WAN_IF | FIREWALL - 5.1 RELASE | LAN_IF -- LAN network > > > > The WAN_IF has several public addresses as aliases. I have about 20 servers > in > > the LAN that require various services allowed to the public Internet. > > > > I basically am doing a "bimap" one to one mapping per server in the LAN. > > This all works great, meaning I can surf etc etc from any LAN server to the > > Internet and also, from the Internet I can get published services on LAN > > servers. > > > > Here's the problem: > > I already mentioned that each server with a 192.168.50.x address is > "bimap"ed > > to a public address. The problem is that if I am on any of the LAN servers, > and > > want to connect to the public address of a server in the LAN, I CANNOT. > > Now first of, I could connect using private addresses and of course this > works > > like it should. But our applications have real DNS names coded in the apps > so I > > need this to work. > > > > I know it has something to be with proxy arp so I even tried placing this > line > > in sysctl.conf: net.link.ether.inet.proxyall=1.\ > > no luck. > > > > ANY IDEAS? > > > > -------------- > > Second problem > > One of the LAN servers is a FTP server. From the Internet, I can only > connect > > using ACTIVE MODE even though I allow both 20/21/tcp inbound. Here's what > > happens when passive mode is used: The initial connection is accepted, but > then > > the server sends its private address instead of its proper public address! > Of > > course it's not gonna work! So I forced active mode and voila! it worked. > > What's the fix for this bugger? I now outbound FTP has some built-in proxy > ftp > > in freebsd but what about inbound? > > > > thanks, tsingh. > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > New Yahoo! Photos - easier uploading and sharing. > > http://photos.yahoo.com/ > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > > 1. The network configuration like yours is known not to work. The reason and > workarounds are best detailed here. > > http://www.openbsd.org/faq/pf/rdr.html#reflect > > 2. The wu-ftp and proftp have the ability to advertize arbitrary address. > There may be others, but I don't know. > > > > horio shoichi > __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040106221640.80956.qmail>