Date: Tue, 25 Feb 2003 08:59:20 +0200 From: "Rolf Mendelsohn" <rolf@digitaldivide.org.za> To: "Guilherme J. R. Oliveira" <guilherme@nortenet.pt> Cc: freebsd-isp@freebsd.org Subject: Re: firewall/nat Web Hosting architecture Message-ID: <3E5B3068.1066.2DFE64@localhost> In-Reply-To: <20030225005636.4de408d9.guilherme@nortenet.pt>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Guilherme, I would question the design below and recommend that you install a third NIC in your FreeBSD firewall and run it like this: internet | firewall / \ -- switch -- --switch-- Desktops Servers This way you Servers Lan is seperate from clients PC's - this is also a more scalable design. The servers LAN should use public IP's If possible & the clients can use Nat from the BSD machine. This is always less troublesome, eespecially if you BIND server is going to be a primary DNS server. If it is impossible to redesign this network then you should do the following: Alias some IP's in /etc/rc.conf: ifconfig_rl0="inet 196.20.13.130 netmask 255.255.255.248" ifconfig_rl0_alias0="inet 196.20.13.136 netmask 0xffffffff" ifconfig_rl0_alias1="inet 196.20.13.137 netmask 0xffffffff" ifconfig_rl0_alias2="inet 196.20.13.138 netmask 0xffffffff" Run natd from a config file: bash-2.05a$ grep natd /etc/rc.conf natd_enable="YES" natd_flags="-f /etc/natd.conf" bash-2.05a$ head -n 4 /etc/natd.conf alias_address 196.20.13.130 #Start internal servers. redirect_address 192.168.3.3 196.20.13.136 redirect_address 192.168.4.3 196.20.13.137 Setup your firewall rules, some general rules for outgoing clients and then a specific per-server ruleset. # 192.168.3.0 - add 12000 allow tcp from any to 192.168.3.3 25 setup Regards, Rolf Mendelsohn On 25 Feb 2003 at 0:56, Guilherme J. R. Oliveira wrote: > > Hi ! > > I need to create a network serving virtual web hosting (which I'll have 2 public ip's) with these servers: apache, iis, bind, ftpd, sendmail and pop3. > It's possible to put all these servers (including the dns) behind a freebsd firewall/nat with 2 nics and 2 switchs to divide 2 networks ? > > > Example: > > internet > | > router > | > firewall&nat > | > desktop1 -- switch -- | -- switch -- bind,apache,ftpd > desktop2 -- -- sendmail,pop3,secondary_bind > -- iis,ftpd > > > I think it's possible using -redirect_port and -redirect_address but I shock with 2 (or more) problems: > > - if the public ip's adress's will be served with bind then it must be installed in the same box as firewall&nat. True ? But I wish that bind stays behind the firewall. > - I have only 2 public ip's that must be assigned (i think) to bind and secondary_bind. How can I acess to iis and/or apache server independently from internet ? > > > > Thanks. > > -- > mailto:guilherme@nortenet.pt || http://guilherme.host-valley.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E5B3068.1066.2DFE64>