From owner-freebsd-security Tue May 14 12:44:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from infinitive.futureperfectcorporation.com (infinitive.futureperfectcorporation.com [196.25.137.68]) by hub.freebsd.org (Postfix) with SMTP id F28F937B406 for ; Tue, 14 May 2002 12:43:58 -0700 (PDT) Received: (qmail 61628 invoked by uid 0); 14 May 2002 19:43:06 -0000 Received: from unknown (HELO gerund.futureperfectcorporation.com) (196.25.137.65) by infinitive.futureperfectcorporation.com with DES-CBC3-SHA encrypted SMTP; 14 May 2002 19:43:06 -0000 Received: (qmail 89358 invoked by uid 1001); 14 May 2002 19:43:12 -0000 Date: Tue, 14 May 2002 21:43:11 +0200 From: Neil Blakey-Milner To: Miroslav Pendev Cc: Aragon Gouveia , freebsd-security@freebsd.org Subject: Re: ipfw + nat + port_redirect - works, but not for the internal net Message-ID: <20020514194311.GA89260@mithrandr.moria.org> References: <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <005501c1fb70$bb32ebb0$01000001@aragon> <042e01c1fb75$048699c0$c801a8c0@vsivyoung> <001101c1fb79$de1aafb0$01000001@aragon> <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung> User-Agent: Mutt/1.3.27i Organization: iTouch Labs X-Operating-System: FreeBSD 4.3-RELEASE i386 X-URL: http://mithrandr.moria.org/nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue 2002-05-14 (15:26), Miroslav Pendev wrote: > Hi Aragon, thanks for the info > I will take a look at data(and sock)pipe. > > > Personally, what I'd do is simply connect directly to 192.168.1.100 instead > > of trying to go via your freebsd gateway. > > Yes, the direct access to 192.168.1.100:80 is Ok! > But here is what I have: > > Web server in *Internet* is serving web pages with some forms and then > the data is sent to the internal (behind the firewall) > apache + php server. > Everithing work just perfect for the clients > (hosts from internet) but it doesnt work for the people > in the internal network. I do not want to make a miror > site only because I dont know (for now) how to get this > working. > > Thanks anyway! Basically, I think you just need to make sure you NAT the traffic arriving on the internal interface. For example, if you have: add 7000 divert natd ip from any to any via ${extif} You probably need: add 7000 divert natd ip from any to any via ${extif} add 7005 divert natd ip from any to any via ${intif} I could be entirely wrong, but this works for me in about 12 installations. Just make sure you're using 'unregistered_only', or some things get a bit confusing - "double NAT" causing all traffic to end up being from the alias address, not the specific redirect_address. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message