From owner-freebsd-net@FreeBSD.ORG Tue Mar 9 20:27:37 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55A1916A4CE for ; Tue, 9 Mar 2004 20:27:37 -0800 (PST) Received: from secure.net2000.com.au (secure.net2000.com.au [203.26.98.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8573943D41 for ; Tue, 9 Mar 2004 20:27:36 -0800 (PST) (envelope-from ktulu@net2000.com.au) Received: (from apache@localhost) by secure.net2000.com.au (8.11.6/8.11.6) id i2A4YIN18620 for freebsd-net@freebsd.org; Wed, 10 Mar 2004 15:34:18 +1100 X-Authentication-Warning: secure.net2000.com.au: apache set sender to ktulu@net2000.com.au using -f Received: from 202.14.179.253 ([202.14.179.253]) by secure.net2000.com.au (IMP) with HTTP for ; Wed, 10 Mar 2004 15:34:18 +1100 Message-ID: <1078893258.404e9aca7c840@secure.net2000.com.au> Date: Wed, 10 Mar 2004 15:34:18 +1100 From: ktulu@net2000.com.au To: freebsd-net@freebsd.org References: <1078880020.404e6714a1235@secure.net2000.com.au> In-Reply-To: <1078880020.404e6714a1235@secure.net2000.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 202.14.179.253 Subject: Re: natd interface alias question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 04:27:37 -0000 > Hi All, > > I've been playing around with this for a few weeks now and searched Google > endlessly, but still can't find a solution... I apologise in advance for > the > length of this post. > > Basically, I have a freebsd machine that acts as a proxy and web server to a > web > application we are currently developing. The machine is configured to serve > up > web pages via Apache on port 80, but forward any traffic requested on port > 443 > to another machine behind the firewall. Below are the relevant parts of the > rc.conf file: > > network interfaces="fxp1 lo0" > ifconfig_lo0="inet 127.0.0.1" > ifconfig_fxp1="inet 192.168.1.10 netmask 255.255.0.0" > gateway_enable="YES" > natd_enable="YES" > natd_interface="fxp1" > natd_flags="-l -m -redirect_port tcp 192.168.1.20:443 443" > > I have set the firewall to "allow ip any to any" for the sake of simplifying > the > problem. The configuration above works fine for one IP - when I request > https://192.168.1.10/ it serves the page from 192.168.1.20. I have written > a > script to add another IP to the machine to perform the same task, which is > where > the problems begin. Basically the script issues the following commands: > > # Add the alias to fxp1 > ifconfig fxp1 inet 192.168.1.11 netmask 255.255.255.255 alias > > (still not sure why the subnet mask here has to be 0xffffffff, even if I > specify > fxp0, which is a physically different port, but anyway it works) > > # Create a natd instance for the newly configured IP: > /sbin/natd -n fxp1 -port 8669 -m -redirect_port tcp 192.168.1.21:443 > 192.168.1.11 443 > > # Restart the networking > /etc/netstart > > As far as Apache is concerned this configuration is fine and it serves the > correct page as configured in the VirtualHosts (on port 80). The problem is, > is > that if I request https://192.168.1.11/, the browser times out and does not > serve the page from 192.168.1.21. > > Why is it that it works for one and not the aliased IP? natd does not bind > to > port 443 (at least nmap doesn't report it), so it's not that port 443 is > already > bound. If natd/FreeBSD actually capable of such a configuration or am I > just > overlooking something fundamental?!? Any help would be much appreciated! > > Thanks, > Leigh > > P.S - I'm running FreeBSD 4.8-RELEASE > One thing I forgot to add were the relevant ipfw rules that I have for the nat daemons: 00050 151 17284 divert 8668 ip from any to any via fxp1 00051 151 17284 divert 8669 ip from any to any via fxp1 Regards, Leigh