Date: Thu, 10 Dec 1998 15:35:11 -0600 From: Nelson <rjn103s@mgr3.k12.mo.us> To: security@FreeBSD.ORG Subject: Re: firewall && natd && private class B Message-ID: <3.0.6.32.19981210153511.007de100@mgr3.k12.mo.us> In-Reply-To: <3.0.6.32.19981210074500.0087a050@mgr3.k12.mo.us>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, After recieving several replies to the posting the problem appears to be a shortcomming of natd running on the outside interface. (according to several replies) One person has implemented a solution to the problem by having 2 boxes, one for outgoing traffic running natd and one for incomming traffic running natd. My knowledge is somewhat limited in the subject area, could someone please critique the below thoughts on wheter it is possible and if so what shortcommings I would be creating with these hypothetical solutions: Since someone is running 2 boxes to solve the problem they are actually running 2 copies of natd. Why can't you run 2 copies of natd on a single box (a copy on each card)? If so I would assume you would need 2 divert ports instead of 1.(????Thoughts????) Would this get anywhere? There must be a way to consolidate the 2 boxes into 1. It was pointed out to me, that there was no need to redirect udp traffic as well. I have since corrected my natd conf file. Thanks to all that replied! I find the support on this list EXCELLENT! At 07:45 AM 12/10/98 -0600, you wrote: >Greetings, > >I would like to put our mail && http server behind our firewall. To do >this I setup a small test for the devices and actually placed them behind >the firewall, gave the firewall alias addresses, and added some >configurations in a configuration file for natd as follows > >#natd config file >same_ports yes >#redirect mail >redirect_port tcp 172.16.0.3:smtp outside_address:smtp >redirect_port udp 172.16.0.3:smtp outside_address:smtp >redirect_port tcp 172.16.0.3:pop3 outside_address:pop3 >redirect_port udp 172.16.0.3:pop3 outside_address:pop3 >#redirect http >redirect_port tcp inside_address:80 outside_address:80 >redirect_port udp inside_address:80 outside_address:80 > >voila! It worked for any workstation that had a "real" IP like a champ! >However when I tried the workstation with addresses from our Class B I >could not get it to work with any address of the form 172.16.xxx.xxx >255.255.0.0 (only tested with w95 boxes). From the client I kept getting >10061 error with the mail. So, I suspected something with the mail client >or server however when I tried the webserver I get no success, I get an >error of timed outok with private ip's and works like a champ with real >ip's. Which lets the mail client and server off the hook. Now I am not for >sure where to look for a problem.:( > >I am thinking I have missed something simple, any ideas what?? > >Thoughts Welcome! > > > >Richard Nelson >Technology Director >Research & Development Director >System Administrator >Mountain Grove R-III Schools >420 N. Main >Mountain Grove, MO 65711 >+++++++++++++++++++++++++++++++++++++++++ >+ FreeBSD, Linux, & Java = Excellence + >+ http://www.freebsd.org + >+ http://www.redhat.com + >+ http://java.sun.com/ + >+ Samba + (FreeBSD||Linux)= Free PDC! + >+ Using FreeBSD for Servers! + >+ Using Linux for Workstaions! + >+++++++++++++++++++++++++++++++++++++++++ > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > Richard Nelson Technology Director Research & Development Director System Administrator Mountain Grove R-III Schools 420 N. Main Mountain Grove, MO 65711 +++++++++++++++++++++++++++++++++++++++++ + FreeBSD, Linux, & Java = Excellence + + http://www.freebsd.org + + http://www.redhat.com + + http://java.sun.com/ + + Samba + (FreeBSD||Linux)= Free PDC! + + Using FreeBSD for Servers! + + Using Linux for Workstaions! + +++++++++++++++++++++++++++++++++++++++++ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19981210153511.007de100>