Date: Thu, 26 Oct 2000 11:31:27 -0700 (PDT) From: Benjamin Gavin <virtual_olympus@yahoo.com> To: freebsd-net@freebsd.org Subject: Firewall "loopback" routing Message-ID: <20001026183127.14688.qmail@web312.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi all, I haven't been able to find the answer in the archives, so I'll ask the question here. The following is my current setup: Internet <--> FreeBSD FW (ipfw + natd) <--> Internal net (172.16.x.y) I have natd rules setup to forward web requests on a certain IP to one of the machines on the internal network. I have also assigned a hostname (say foo.bar.com) to this IP. From outside of the firewall I can get to http://foo.bar.com/, but from inside, I cannot. My temporary solution to this is to setup an internal DNS server which serves up internal addresses to internal hosts, while the standard DNS server serves up the regular address to external hosts. So now both the internal and external people can get to http://foo.bar.com/. The problem is that this is a humongous pain in the a## to administer. First off, I can't just override the hosts that should have both internal and external address, I must provide addressing for the entire domain (bar.com) on both the internal and external DNS servers. Second, it is hard to troubleshoot from the inside, since I may have the ability to see the server from the inside, but the FW rules may be such that I can't see it from the outside. There are a number of firewall products that provide "loopback" processing, meaning that I could just type in the external address (i.e. 123.123.123.123) from behind the firewall and it would take care of routing the request through NAT, then back into the internal network for processing, and perform the reverse translation back again. Does FreeBSD support this type of "loopback" processing?? Here's what I've tried so far (in lieu of real loopback processing): Configure a second instance of natd, running on the inside interface and processing the same ruleset. After changing ports, I can get it to a point where the requestor asks for the external host, but then gets the correct response back from the internal responder directly, so the requester doesn't recognize the responder as the person to which it submitted the request. I can watch all the packets go out, get translated, get responded to, but the connection never happens because of the discrepancy. No matter how I pictured this in my head, it was impossible for me to get the internal server to respond back through the firewall because it believes (rightly so) that it can respond to the requestor directly. Any ideas?? Thanks, Benjamin Gavin __________________________________________________ Do You Yahoo!? Yahoo! Messenger - Talk while you surf! It's FREE. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001026183127.14688.qmail>