From owner-freebsd-questions@FreeBSD.ORG Fri Sep 26 03:59:46 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9D4E106568F for ; Fri, 26 Sep 2008 03:59:46 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.freebsd.org (Postfix) with ESMTP id 3E78E8FC21 for ; Fri, 26 Sep 2008 03:59:46 +0000 (UTC) (envelope-from kdk@daleco.biz) Received: from localhost (localhost [127.0.0.1]) by ezekiel.daleco.biz (8.14.2/8.13.8) with ESMTP id m8Q3xjnF027848; Thu, 25 Sep 2008 22:59:45 -0500 (CDT) (envelope-from kdk@daleco.biz) X-Virus-Scanned: amavisd-new at daleco.biz Received: from ezekiel.daleco.biz ([127.0.0.1]) by localhost (ezekiel.daleco.biz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id FKOXlX4tEOb4; Thu, 25 Sep 2008 22:59:39 -0500 (CDT) Received: from archangel.daleco.biz (dsl.daleco.biz [209.125.108.70]) by ezekiel.daleco.biz (8.14.2/8.13.8) with ESMTP id m8Q3xZtK027843; Thu, 25 Sep 2008 22:59:35 -0500 (CDT) (envelope-from kdk@daleco.biz) Message-ID: <48DC5E21.5010008@daleco.biz> Date: Thu, 25 Sep 2008 22:59:29 -0500 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.16) Gecko/20080719 SeaMonkey/1.1.11 MIME-Version: 1.0 To: Tim Gustafson References: <5A97CB869CB943CA9C29606D8E52DF5E@soe.cse.ucsc.edu> In-Reply-To: <5A97CB869CB943CA9C29606D8E52DF5E@soe.cse.ucsc.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: NATD Reverse Proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2008 03:59:46 -0000 Tim Gustafson wrote: > Hi, > > I'm trying to build a server that will act as a gateway between my wireless > network and the rest of the world. Here's an overview of the current setup: > > 1. FreeBSD 7.1 > 2. isc-dhcp3-server-3.0.5_2 > 3. natd configured to connect fxp0 (public network, dynamic IP) to fxp1 > (private network, static IP) > 4. ipfw > 5. bind > 6. apache 2.2 > 7. php 5.2.6 > > Right now, when someone connects to the private net, they get an IP address > and can connect to the Internet no problemo. So, this is all working so > far. > > What I'd like to do next is this: > > When someone obtains an IP address, I'm going to configure DHCP to block > that IP using IPFW initially, and I'd like to redirect any requests that > come from that IP to port 80 or 443 to be silently redirected to the local > Apache installation, where the user can enter their login and password. > Once they've been authenticated, the firewall will allow them to connect out > to everywhere else. > > So, it seems to me that I need to use natd again to do a silent proxy of > traffic from certain IPs on the private net to the server box. But, since > I'm already using natd, I'm a little perplexed about how to set this up. Do > I need to run a second instance of natd on a different port, and then update > the firewall rules to divert to one or the other based on the user's > authentication status? Or can this all be configured in one natd instance? > > Tim Gustafson > SOE Webmaster > UC Santa Cruz > tjg@soe.ucsc.edu > 831-459-5354 Someone else's wheel, for perusal, at least: http://www.shmoo.com/~bmc/software/wicap/announce.html The tarball is still up there. HTH, Kevin Kinsey -- If you do not think about the future, you cannot have one. -- John Galsworthy