From owner-freebsd-isp Mon Feb 24 23: 0:34 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A3A537B401 for ; Mon, 24 Feb 2003 23:00:31 -0800 (PST) Received: from mx02.uunet.com.na (smtp.corp.uunet.com.na [196.20.7.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 863C943F85 for ; Mon, 24 Feb 2003 23:00:27 -0800 (PST) (envelope-from rolf@digitaldivide.org.za) Received: from [196.20.19.91] (helo=null) by mx02.uunet.com.na with esmtp (Exim 3.22 #1) id 18nZ4Y-0004zd-00; Tue, 25 Feb 2003 09:00:14 +0200 From: "Rolf Mendelsohn" To: "Guilherme J. R. Oliveira" Date: Tue, 25 Feb 2003 08:59:20 +0200 MIME-Version: 1.0 Subject: Re: firewall/nat Web Hosting architecture Cc: freebsd-isp@freebsd.org Message-ID: <3E5B3068.1066.2DFE64@localhost> In-reply-to: <20030225005636.4de408d9.guilherme@nortenet.pt> X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Guilherme, I would question the design below and recommend that you install a third NIC in your FreeBSD firewall and run it like this: internet | firewall / \ -- switch -- --switch-- Desktops Servers This way you Servers Lan is seperate from clients PC's - this is also a more scalable design. The servers LAN should use public IP's If possible & the clients can use Nat from the BSD machine. This is always less troublesome, eespecially if you BIND server is going to be a primary DNS server. If it is impossible to redesign this network then you should do the following: Alias some IP's in /etc/rc.conf: ifconfig_rl0="inet 196.20.13.130 netmask 255.255.255.248" ifconfig_rl0_alias0="inet 196.20.13.136 netmask 0xffffffff" ifconfig_rl0_alias1="inet 196.20.13.137 netmask 0xffffffff" ifconfig_rl0_alias2="inet 196.20.13.138 netmask 0xffffffff" Run natd from a config file: bash-2.05a$ grep natd /etc/rc.conf natd_enable="YES" natd_flags="-f /etc/natd.conf" bash-2.05a$ head -n 4 /etc/natd.conf alias_address 196.20.13.130 #Start internal servers. redirect_address 192.168.3.3 196.20.13.136 redirect_address 192.168.4.3 196.20.13.137 Setup your firewall rules, some general rules for outgoing clients and then a specific per-server ruleset. # 192.168.3.0 - add 12000 allow tcp from any to 192.168.3.3 25 setup Regards, Rolf Mendelsohn On 25 Feb 2003 at 0:56, Guilherme J. R. Oliveira wrote: > > Hi ! > > I need to create a network serving virtual web hosting (which I'll have 2 public ip's) with these servers: apache, iis, bind, ftpd, sendmail and pop3. > It's possible to put all these servers (including the dns) behind a freebsd firewall/nat with 2 nics and 2 switchs to divide 2 networks ? > > > Example: > > internet > | > router > | > firewall&nat > | > desktop1 -- switch -- | -- switch -- bind,apache,ftpd > desktop2 -- -- sendmail,pop3,secondary_bind > -- iis,ftpd > > > I think it's possible using -redirect_port and -redirect_address but I shock with 2 (or more) problems: > > - if the public ip's adress's will be served with bind then it must be installed in the same box as firewall&nat. True ? But I wish that bind stays behind the firewall. > - I have only 2 public ip's that must be assigned (i think) to bind and secondary_bind. How can I acess to iis and/or apache server independently from internet ? > > > > Thanks. > > -- > mailto:guilherme@nortenet.pt || http://guilherme.host-valley.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message