Date: Tue, 28 Oct 2003 15:02:12 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Lewis Thompson <purple@lewiz.net> Cc: FreeBSD-questions <questions@freebsd.org> Subject: Re: Complicated ipfw/ipf forwarding. Message-ID: <20031028150212.GB9271@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20031028143531.GH288@lewiz.org> References: <20031028143531.GH288@lewiz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 28, 2003 at 02:35:31PM +0000, Lewis Thompson wrote: > I have a public IP address and a couple of machines sitting behind a > FreeBSD router doing NAT. I'm using ipnat and ipf right now (although I > used to use natd/ipfw so I don't mind switching -- I started using > ipf/ipnat because of an odd problem with 5.1-RELEASE but I'm switching > back to 4.9 now) and wondered if it was possible to do forwarding based > on DNS. >=20 > For example Apache is clever enough to support virtual hosts based on > the address requested. Is there any way at all to do this for > forwarding on the router? For example if I had three CNAMES for the > same IP red, pink and blue. Could I have red.foo.bar forwarded to > 192.168.0.2, pink.foo.bar forwarded to 192.168.0.3 and say blue.foo.bar > go to the local machine (i.e. the router)? I don't think that will be possible for an arbitrary protocol. The only way that apache can do this is because the HTTP/1.1 protocol explicitly includes the name of the required virtual host in the GET / POST / HEAD packets. (Hence you can't use name virtual hosts with HTTPS, because of the catch 22: you can't read the name of the virtual host until you can decode the packet stream, and you can't decode the stream until you know which virtual host to send it to...) Most protocols don't have anything like this concept of virtual hosts built into them, so the only data they have to work with is the IP and port number in the packet headers. This works with NAT on outgoing connections because the natd(8) will ensure that the source IP+port on any outgoing packets is unique to each connection. Unfortunately there's no way it can work like that for inbound connections. Now, if you're talking about having 3 web servers (red, pink, blue) then you can use an apache instance on your NAT gateway as an inverse proxy: see http://httpd.apache.org/docs-2.0/mod/mod_proxy.html Other application specific proxies are available for various protocols, for instance ssh(1) has the '-D', '-L' and '-R' command line flags which should be enough to let you ssh into your private network. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --FkmkrVfFsRoUs1wW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/noT0dtESqEQa7a0RAtAYAJ9KGS+0q0lkmtnJ4Wdn76MUBSadWQCfZICo HIh1NokvG8hanonG/Z6VtVA= =FH2+ -----END PGP SIGNATURE----- --FkmkrVfFsRoUs1wW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031028150212.GB9271>