From owner-freebsd-isp Tue Aug 24 20: 3:22 1999 Delivered-To: freebsd-isp@freebsd.org Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (Postfix) with SMTP id B285C152FA for ; Tue, 24 Aug 1999 20:03:11 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 20285 invoked from network); 25 Aug 1999 03:02:32 -0000 Received: from speedy.chip-web.com (HELO bigfoot.com) (172.16.1.1) by inet.chip-web.com with SMTP; 25 Aug 1999 03:02:32 -0000 Message-ID: <37C35C71.937E609A@bigfoot.com> Date: Tue, 24 Aug 1999 20:01:05 -0700 From: Ludwig Pummer X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: John Heyer Cc: "freebsd-isp@FreeBSD.ORG" Subject: Re: Internal Servers / External IP Addresses (NAT) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Heyer wrote: > > I recently installed FreeBSD 3.2 on a machine running NAT and IPFW to act > as a proxy server. In addition to internet access for the internal users > via NAT, the company has also asked to put their mail and web servers on > the internal network for security reasons, yet still have them accessable > from the outside. I moved the servers internally and had the Proxy server > take the old IP address, then re-drirected the necessary ports with NAT's > -redirect_port parameter so that for example telnetting to port 25 of the > proxy server's alias IP address gets a connection to the internal mail > server. > > From the outside, this works great. The problem is it doesn't work from > internal address. When they go to the outside (routable) alias being used > by the proxy server, they don't get re-directed for some reason. > > I know the best solution might be to fool the clients into going directly > to the internal address by DNS or hosts files, but unfortunately that > would mean re-configuring 50 or so client machines. So I'm trying to do > something at the server level - so far route statements and forwarding via > ipfw, but with no luck. Any options to NAT I might be missing in order > for the re-direction to work from the internal side? I believe the issue here is which ipfw rules you are using to get the packets sent to NAT. If you are using the standard rules packaged with FreeBSD, then it's not enough. The standard rule requires that the packets go through the natd_interface set by your rc.conf. In your case, the packets are not going through that interface because the FreeBSD natd gateway recognizes that those 'outside' addresses are its own and doesn't bother passing them on to another interface. All you should need to do is add an ipfw line to your rc.firewall saying to "divert natd all from ${inet}:${imask} to ${old_outside_ip} 25" for the SMTP server for example. Note that I haven't actually tried this, but I do remember bringing this up with the natd/natd manpage maintainers a few weeks/months ago and we had a discussion about this kind of situation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message