natd interface alias question
ktulu at net2000.com.au
ktulu at net2000.com.au
Tue Mar 9 20:27:37 PST 2004
> Hi All,
>
> I've been playing around with this for a few weeks now and searched Google
> endlessly, but still can't find a solution... I apologise in advance for
> the
> length of this post.
>
> Basically, I have a freebsd machine that acts as a proxy and web server to a
> web
> application we are currently developing. The machine is configured to serve
> up
> web pages via Apache on port 80, but forward any traffic requested on port
> 443
> to another machine behind the firewall. Below are the relevant parts of the
> rc.conf file:
>
> network interfaces="fxp1 lo0"
> ifconfig_lo0="inet 127.0.0.1"
> ifconfig_fxp1="inet 192.168.1.10 netmask 255.255.0.0"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="fxp1"
> natd_flags="-l -m -redirect_port tcp 192.168.1.20:443 443"
>
> I have set the firewall to "allow ip any to any" for the sake of simplifying
> the
> problem. The configuration above works fine for one IP - when I request
> https://192.168.1.10/ it serves the page from 192.168.1.20. I have written
> a
> script to add another IP to the machine to perform the same task, which is
> where
> the problems begin. Basically the script issues the following commands:
>
> # Add the alias to fxp1
> ifconfig fxp1 inet 192.168.1.11 netmask 255.255.255.255 alias
>
> (still not sure why the subnet mask here has to be 0xffffffff, even if I
> specify
> fxp0, which is a physically different port, but anyway it works)
>
> # Create a natd instance for the newly configured IP:
> /sbin/natd -n fxp1 -port 8669 -m -redirect_port tcp 192.168.1.21:443
> 192.168.1.11 443
>
> # Restart the networking
> /etc/netstart
>
> As far as Apache is concerned this configuration is fine and it serves the
> correct page as configured in the VirtualHosts (on port 80). The problem is,
> is
> that if I request https://192.168.1.11/, the browser times out and does not
> serve the page from 192.168.1.21.
>
> Why is it that it works for one and not the aliased IP? natd does not bind
> to
> port 443 (at least nmap doesn't report it), so it's not that port 443 is
> already
> bound. If natd/FreeBSD actually capable of such a configuration or am I
> just
> overlooking something fundamental?!? Any help would be much appreciated!
>
> Thanks,
> Leigh
>
> P.S - I'm running FreeBSD 4.8-RELEASE
>
One thing I forgot to add were the relevant ipfw rules that I have for the nat
daemons:
00050 151 17284 divert 8668 ip from any to any via fxp1
00051 151 17284 divert 8669 ip from any to any via fxp1
Regards,
Leigh
More information about the freebsd-net
mailing list