From owner-freebsd-questions Thu Oct 10 15:57: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5EF737B404 for ; Thu, 10 Oct 2002 15:57:01 -0700 (PDT) Received: from excelsystems.com (h24-70-196-170.sbm.shawcable.net [24.70.196.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C85B43EB2 for ; Thu, 10 Oct 2002 15:57:00 -0700 (PDT) (envelope-from hunter@hunter.net) Received: from home [24.70.196.175] by excelsystems.com [127.0.0.1] with SMTP (MDaemon.PRO.v5.0.1.R) for ; Thu, 10 Oct 2002 15:50:58 -0700 Message-Id: <4.2.0.58.20021010153730.00d34270@192.168.0.64> X-Sender: hunter#pop.islandnet.com@192.168.0.64 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 10 Oct 2002 15:56:06 -0700 To: Nick Rogness , "Jack L. Stone" From: Marc Hunter Subject: Re: ipfw and natd during internal to internal access ... Cc: wolf , In-Reply-To: <20021010161251.J2374-100000@skywalker.rogness.net> References: <3.0.5.32.20021010170043.012cd790@mail.sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-MDRemoteIP: 24.70.196.175 X-Return-Path: hunter@hunter.net X-MDaemon-Deliver-To: freebsd-questions@FreeBSD.ORG Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thank you all for your responses so far. We tried the divert option and it almost worked :> We can see that the packet got natted but the request still times out. From what I can gather what is happening is that machine A (user) sent the packet to machine B (firewall) which sent the packet to machine C (internal web server) which responded with a packet to machine A, however machine A was expecting its answer from machine B. (Assuming a tcp connection request must receive the response from the machine it was sent to...) What is curious is that the nat converted the 'to' address correctly, but didn't change the from address to the firewall address as it does with outside traffic, so we could be missing something. Our additional divert looks as follows: divert natd log tcp from 192.168.0.0/24 to 24.70.100.100 80 in via rl1 our natd.conf says: redirect_port tcp 192.168.0.129:80 80 (and the interface is set to rl0 which is the outside world). > 1) Use another domain (point to inside) > 2) Setup subdomain www.internal.domain.com It actually is a subdomain which we are using, but neither of these options is feasible as we need to have our website links the same whether a page is accessed internally or externally... > 3) Setup nameserver to respond differently depending on source IP I suppose if there is no other way we will have to consider this, but we hadn't counted on having to do this :< > 4) Run a proxy server This whole project is to get rid of our Wingate proxy, a hardware firewall and a linux firewall, so we were hoping to avoid this (thus the use of nat). Someone suggested using the ipfw fwd command, which we will try, but I suspect it will present the same problem as the divert above... Here are some questions which may reveal our ignorance: Can you 'attach' natd to both the internal and external interfaces? Perhaps have two copies running and the one on the internal interface would only get triggered by the divert rule we added above? I suppose it would have to run on a different port in any case... Would ipf and ipnat have a solution to this problem or are they roughly the same thing, different syntax (insofar as basic firewall/nat needs go)? Thanks! Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message