arp request problem with firewall

horio shoichi bugsgrief at bugsgrief.net
Tue Dec 30 20:13:36 PST 2003 

On Mon, 29 Dec 2003 16:30:40 -0800 (PST)
Terry Singh <terrysingh at yahoo.com> wrote:
> this is my first post to freebsd questions. 
> 
> MY NETWORK
> 
> Internet -- WAN_IF | FIREWALL - 5.1 RELASE | LAN_IF -- LAN network
> 
> The WAN_IF has several public addresses as aliases. I have about 20 servers in
> the LAN that require various services allowed to the public Internet. 
> 
> I basically am doing a "bimap" one to one mapping per server in the LAN.
> This all works great, meaning I can surf etc etc from any LAN server to the
> Internet and also, from the Internet I can get published services on LAN
> servers. 
> 
> Here's the problem:
> I already mentioned that each server with a 192.168.50.x address is "bimap"ed
> to a public address. The problem is that if I am on any of the LAN servers, and
> want to connect to the public address of a server in the LAN, I CANNOT.
> Now first of, I could connect using private addresses and of course this works
> like it should. But our applications have real DNS names coded in the apps so I
> need this to work. 
> 
> I know it has something to be with proxy arp so I even tried placing this line
> in sysctl.conf: net.link.ether.inet.proxyall=1.\
> no luck.
> 
> ANY IDEAS?
> 
> --------------
> Second problem
> One of the LAN servers is a FTP server. From the Internet, I can only connect
> using ACTIVE MODE even though I allow both 20/21/tcp inbound. Here's what
> happens when passive mode is used: The initial connection is accepted, but then
> the server sends its private address instead of its proper public address! Of
> course it's not gonna work! So I forced active mode and voila! it worked.
> What's the fix for this bugger? I now outbound FTP has some built-in proxy ftp
> in freebsd but what about inbound?
> 
> thanks, tsingh.
> 
> 
> 
> 
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 

1. The network configuration like yours is known not to work. The reason and
workarounds are best detailed here.

	http://www.openbsd.org/faq/pf/rdr.html#reflect

2. The wu-ftp and proftp have the ability to advertize arbitrary address.
There may be others, but I don't know.



horio shoichi

More information about the freebsd-questions mailing list