Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 07 Mar 2000 10:39:53 -0500
From:      Matthew Hagerty <matthew@venux.net>
To:        isp@freebsd.org
Subject:   POP3 proxy possible?
Message-ID:  <4.2.2.20000307101901.00a20200@mail.venux.net>
next in thread | raw e-mail | index | archive | help 

Greetings,

I was wondering if there is a way to proxy a port, specifically pop3(110), 
to another computer.  Something like:

"If a connection comes in on my port 110, forward to ip:port"

What I have is a firewall setup like this:

Internet
     |
     |
+--------+                            +---------+
| router |                            | Bastion |
+--------+                            +---------+
     |          Perimeter Network           |
     +--------------------------------------+
     Real IP assignment  |
                         |
                   +-----------+
                   | Firewall  |
                   | NATd IPFW |
                   +-----------+
                         |
      +----------------------------------+
      |    Fake IP assignment 10.0.0.0/24
  +------+
  | pop3 |
  +------+

I need to enable external access of pop3 (I know, I know, but it is not my 
decision).

The first problem is that an external pop3 client cannot route to a fake 
IP, so they have to pop3 to a real host, i.e. the bastion.  The bastion 
would then forward the request to the firewall machine which knows how to 
route to the internal server.  The bastion host also has a static route so 
it knows that 10.0.0.0/24 should be routed to the firewall.

The second problem is that the firewall will only accept packets from the 
bastion host, so external pop3 clients cannot connect directly to the 
firewall machine to have the pop3 request forwarded.

What I though I needed was a simple "port pass-though" program of some 
sort.  I thought NATd could do this with the -reverse, -proxy_only, and 
-proxy_rule parameters, but I could not get it to work.  I could not find 
any other docs or examples on NATd other than the man page, is there any?

One other thing, can NATd be run without IPFIREWALL?  In this case I don't 
need a firewall, so can I leave the option out of my kernel and just use 
IPDIVERT?

Any insight would be greatly appreciated!

Thank you,
Matthew Hagerty



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000307101901.00a20200>