From owner-freebsd-questions  Wed Sep 20  0:40:31 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id D402137B43C
	for <freebsd-questions@freebsd.org>; Wed, 20 Sep 2000 00:40:29 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 20 Sep 2000 00:39:20 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8K7eLS18879;
	Wed, 20 Sep 2000 00:40:21 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 20 Sep 2000 00:40:20 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Kanji T Bates <bates@jurai.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: internal to internal via natd extenal redirect_port
Message-ID: <20000920004020.V367@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0009200138140.89155-100000@sasami.jurai.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.21.0009200138140.89155-100000@sasami.jurai.net>; from bates@jurai.net on Wed, Sep 20, 2000 at 02:37:42AM -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Sep 20, 2000 at 02:37:42AM -0400, Kanji T Bates wrote:
> I'm having great difficulty trying to get any of my internal machines to
> talk to services handled via a natd redirect_port even though boxes coming
> at me from my external interface have no problems whatsoever.
> 
> Is there anyway for me to get around this so that I could (for example) 
> have box 10.10.10.10 could reach the web server running on 10.10.10.20 via
> the nats external IP of 192.168.0.1 ?

This is a known "problem." I hesitate to call it such because
everything is working as it should.

When you send a packet to 192.168.0.1, it arives on the internal
interface and runs through the rules. It likely is accepted at some
rule. Now, the packet is accepted by the machine... We're done. There
is no reason for the packet to be routed out of the external interface
since it was destined for this machine. Since it never goes through
the firewall rules while being processed on the exernal interface, it
never is accepted by the divert rule.

There are ways to hack it to get this to work, but it is generally
pretty ug-oh-ly. Do you _really_ wanna do this?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message