/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
rich <[EMAIL PROTECTED]> wrote:
>
> Anyway, here is one more quick question -- since these web servers
> were once in front of the firewall and now are behind, AND all the
> users point to a DNS on the OUTSIDE, which means they only resolve the
> OUTSIDE addresses -- can you make the portfw work from BOTH sides???
This issue is so frequently-asked, that it is worthy of the FAQ.
Port-forwarding is not a generic "take packets from here and send them
over there because I said so" type of kernel function. It is a function
that is tightly integrated with masquerading, and only works when
masquerading is present. If you really want generic port redirection,
you will need to use a user-space daemon, with all the disadvantages
thereof.
First of all, think about what you're doing, when you ask for this
feature: You actually want your internal LAN users to send their web
traffic *twice* over the network? Once to the masq server, then from
the masq server to the web server, then back, and back again. This
increases network load unnecessarily.
Second of all, think about how portfw works with masq: When a request
comes in that matches one of the portfw rules, the kernel searches the
forwarding rule-set, and finds a rule that would have matched, if the
traffic were going in the *opposite* direction. That's because
masquerade is generally an out-bound function, and so in order to make
it work for an in-bound connection, we have to search for an out-bound
masq entry that would work, and then make use of it. When such a rule
is found, a masq-entry is entered into the table for this connection,
and because of the way masq works, the packets end up being masqueraded
and forwarded correctly.
But see how this works: If the packets are attempting to travel in a
direction for which no masquerading is available, then the forwarding
will fail! There is no rule that allows an internal LAN box to
masquerade through the server and back into the internal LAN. If you
added such a rule, it wouldn't work anyway, because the kernel would
recognize this as an invalid forwarding attempt (network to same-
network) and it would never make it to the forwarding ruleset.
So what you ask for is not really possible with the system, as it's
designed. However, by setting up separate DNS servers for inside and
outside traffic, you can *easily* get your internal clients to contact
the web server directly (as they SHOULD, for efficiency!), and let
external clients still forward through your masq server. This is, in my
opinion, the correct solution.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
