From owner-freebsd-questions@FreeBSD.ORG Thu Sep 25 23:51:28 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DF421065689 for ; Thu, 25 Sep 2008 23:51:28 +0000 (UTC) (envelope-from tjg@soe.ucsc.edu) Received: from mail-01.cse.ucsc.edu (mail-01.cse.ucsc.edu [128.114.48.32]) by mx1.freebsd.org (Postfix) with ESMTP id 1EFEC8FC17 for ; Thu, 25 Sep 2008 23:51:28 +0000 (UTC) (envelope-from tjg@soe.ucsc.edu) Received: from junta (junta.cse.ucsc.edu [128.114.49.22]) by mail-01.cse.ucsc.edu (Postfix) with ESMTP id F4035F30066 for ; Thu, 25 Sep 2008 16:31:47 -0700 (PDT) From: "Tim Gustafson" To: Date: Thu, 25 Sep 2008 16:31:47 -0700 Message-ID: <5A97CB869CB943CA9C29606D8E52DF5E@soe.cse.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Thread-Index: AckfZuB+3ogxUH/tTq6xzK+PgB+qGA== Subject: NATD Reverse Proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2008 23:51:28 -0000 Hi, I'm trying to build a server that will act as a gateway between my wireless network and the rest of the world. Here's an overview of the current setup: 1. FreeBSD 7.1 2. isc-dhcp3-server-3.0.5_2 3. natd configured to connect fxp0 (public network, dynamic IP) to fxp1 (private network, static IP) 4. ipfw 5. bind 6. apache 2.2 7. php 5.2.6 Right now, when someone connects to the private net, they get an IP address and can connect to the Internet no problemo. So, this is all working so far. What I'd like to do next is this: When someone obtains an IP address, I'm going to configure DHCP to block that IP using IPFW initially, and I'd like to redirect any requests that come from that IP to port 80 or 443 to be silently redirected to the local Apache installation, where the user can enter their login and password. Once they've been authenticated, the firewall will allow them to connect out to everywhere else. So, it seems to me that I need to use natd again to do a silent proxy of traffic from certain IPs on the private net to the server box. But, since I'm already using natd, I'm a little perplexed about how to set this up. Do I need to run a second instance of natd on a different port, and then update the firewall rules to divert to one or the other based on the user's authentication status? Or can this all be configured in one natd instance? Tim Gustafson SOE Webmaster UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354