From owner-freebsd-questions Thu Oct 10 16:16:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55AB337B401 for ; Thu, 10 Oct 2002 16:16:33 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65C4943EB3 for ; Thu, 10 Oct 2002 16:16:32 -0700 (PDT) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id g9ANKb0H003313; Thu, 10 Oct 2002 17:20:37 -0600 (MDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id g9ANKZ4j003310; Thu, 10 Oct 2002 17:20:36 -0600 (MDT) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Thu, 10 Oct 2002 17:20:33 -0600 (MDT) From: Nick Rogness To: Marc Hunter Cc: "Jack L. Stone" , wolf , Subject: Re: ipfw and natd during internal to internal access ... In-Reply-To: <4.2.0.58.20021010153730.00d34270@192.168.0.64> Message-ID: <20021010171400.R2374-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 10 Oct 2002, Marc Hunter wrote: > Thank you all for your responses so far. > > We tried the divert option and it almost worked :> > > We can see that the packet got natted but the request still times out. > From what I can gather what is happening is that machine A (user) sent > the packet to machine B (firewall) which sent the packet to machine C > (internal web server) which responded with a packet to machine A, > however machine A was expecting its answer from machine B. (Assuming a > tcp connection request must receive the response from the machine it was > sent to...) > > What is curious is that the nat converted the 'to' address correctly, > but didn't change the from address to the firewall address as it does > with outside traffic, so we could be missing something. Our additional > divert looks as follows: > > divert natd log tcp from 192.168.0.0/24 to 24.70.100.100 80 in via rl1 > > our natd.conf says: > > redirect_port tcp 192.168.0.129:80 80 > > (and the interface is set to rl0 which is the outside world). > > > 1) Use another domain (point to inside) > > 2) Setup subdomain www.internal.domain.com > > It actually is a subdomain which we are using, but neither of these > options is feasible as we need to have our website links the same > whether a page is accessed internally or externally... That is an HTML coding problem. You shouldn't be coding with full domain references in the HTML code. > > > 3) Setup nameserver to respond differently depending on source IP > > I suppose if there is no other way we will have to consider this, but we > hadn't counted on having to do this :< It's easy, just run an internal nameserver.... > > > 4) Run a proxy server > > This whole project is to get rid of our Wingate proxy, a hardware firewall > and a linux firewall, so we were hoping to avoid this (thus the use of nat). > > Someone suggested using the ipfw fwd command, which we will try, but I > suspect it will present the same problem as the divert above... > ipfw fwd will not work. > Here are some questions which may reveal our ignorance: > Can you 'attach' natd to both the internal and external > interfaces? > Perhaps have two copies running and the one on the internal > interface would only get triggered by the divert rule we added above? I > suppose it would have to run on a different port in any case... Yes, you could do this but it's not necessary and it's very ugly. Run an internal nameserver!! It's just that easy ;-P > Would ipf and ipnat have a solution to this problem or are they roughly > the same thing, different syntax (insofar as basic firewall/nat needs > go)? It's possible, I'm not familiar with ipf/ipnat. Nick Rogness - "Wouldn't it be great if we could answer people with a kick to the crotch?" -maddox@xmission.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message