netbsd-help: Re: ip(nat&filter) + webserver question

Subject: Re: ip(nat&filter) + webserver question
To: None <bouyer@antioche.eu.org>
From: Jerome Houston <the_hou_guy@hotmail.com>
List: netbsd-help
Date: 02/07/2002 15:11:56
I see..
well, i can do one of those, i suppose.  maybe i'll just put a dns server on 
the firewall itself.
thanks.

j

>From: Manuel Bouyer <bouyer@antioche.eu.org>
>To: Jerome Houston <the_hou_guy@hotmail.com>
>CC: netbsd-help@netbsd.org
>Subject: Re: ip(nat&filter) + webserver question
>Date: Thu, 7 Feb 2002 22:35:05 +0100
>
>On Wed, Feb 06, 2002 at 12:14:29PM -0800, Jerome Houston wrote:
> > TIA for any help someone can give.
> >
> > I've got the classic setup.  Static IP (w.x.y.z), NetBSD
> > firewall/router(ipfilter/ipnat), internal network with a webserver @
> > 192.168.a.b.
> > Nat is configured to RDR port 80 requests to the internal webserver
> > 192.168.a.b
> >
> > Almost all is well.  WAN computers can access the pages on the webserver
> > correctly, and internal network computers can access the pages if they 
>go
> > directly to 192.168.a.b.
> > BUT.... (isn't there always a BUT?)
> > If INTERNAL computers (i.e. 192.168.c.d) go to w.x.y.z, nuthin' happens.
> > "The page cannot be displayed".
> >
> > This isn't a huge problem, except that i want internal computers to 
>access
> > my domain (my.domain.com, which correctly points to w.x.y.z) from
> > inside......
> >
> > i could always make an entry in the hosts file of each of the internal 
>net
> > computers to make my.comain.com point to 192.168.a.b, but that seems 
>like
> > such a hack that shouldn't be necessary with ip(nat/filter).
> >
> > My hunch is that i'm doing this to myself in IPFILTER somewhere....
> > here's the relevant entries...
>
>If the client on servers are on the same net, you can't get this working:
>client A will send TCP packet to host P (the public address) via the 
>router.
>The router redirects it to server S
>server S anserws directly to client A as it's on the same subnet.
>But as the anserws doesn't get though the router it doesn't get rewritten,
>and the anserws comes from a different address than the request was sent 
>to.
>
>You have to either install a proxy which will do proper redirects, or 
>install
>a local DNS wich will send the local address for your server name, instead
>of the public one.
>
>If you put the server on its own subnet then the router can do proper
>redirects.
>
>--
>Manuel Bouyer <bouyer@antioche.eu.org>
>--


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com