RE: NATD anyone?

Subject: RE: NATD anyone?
From: Mark-Nathaniel Weisman (mark@outlander.us)
Date: Mon Sep 09 2002 - 23:16:58 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Mark-Nathaniel Weisman: "RE: Can ISC bind do this?"
• Previous message: Matthew Schumacher: "Re: Can ISC bind do this?"
• Maybe in reply to: Mark-Nathaniel Weisman: "NATD anyone?"
• Maybe reply: Mark-Nathaniel Weisman: "RE: NATD anyone?"
• Reply: Mark-Nathaniel Weisman: "RE: NATD anyone?"

Mike,
  I've done some reading on working with mod_rewrite. However, I'm not
sure about the mod_proxy file? According to the mod_rewrite docs, you
can force the redirect to move through the proxy on the way through as
long as mod_rewrite loads first in the httpd.conf file. I've got a
couple of questions regarding the mod_rewrite if you can email me
off-list? Lots of details I'd like to pick your brain about, or anyone
else for that matter. I think I've got the code set I need, just need
more detailed directions as to which file I'm going to insert it.

His humble servant,
Mark-Nathaniel Weisman
President
Outland Domain Group Consulting
Anchorage,AK USA
http://www.outlander.us

-----Original Message-----
From: Mike Tibor [mailto:tibor@lib.uaa.alaska.edu]=20
Sent: Tuesday, September 03, 2002 11:09 AM
To: Mark-Nathaniel Weisman
Cc: aklug@aklug.org
Subject: Re: NATD anyone?

On Mon, 2 Sep 2002, Mark-Nathaniel Weisman wrote:

> Can you stipulate a singular port to two different internal IP
addresses
> using NATD under FreeBSD v4.5? For example;
> redirect_port tcp 192.168.1.2:http 80
> redirect_port tcp 192.168.1.3:http 80

The only way I think this would work is if your rules examined the
payload
of the packets hitting tcp 80 on your firewall, so that they could
redirect based on something like the Host: header in the http request.

What might work better is to build apache on your firewall box with
mod_rewrite and mod_proxy, and having it act as a "reverse proxy". The
firewall box would forward the http request on to the appropriate
internal
server (but via apache, rather than ipfw), but to the remote computer it
would just appear as if you were running the sites on your firewall box.

Personally I think that's overly complicated. If it were me, I'd look
into consolidating the websites all onto the firewall box, or better
yet,
give the existing servers "real-world" IP addresses (I assume there's a
reason they're on separate boxes), and configure the firewall box as a
filtering ethernet bridge without an IP address (although it might be
easier to give it an address on your private network if console access
is
inconvenient). I think I saw an article on how to setup the packet
filtering ethernet bridge on either bsdtoday.com or daemonnews.org, and
there may even be a howto on it.

Mike
--=20
Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice
Network Technician Consortium Library (907) 786-6050 fax
tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Mark-Nathaniel Weisman: "RE: Can ISC bind do this?"
• Previous message: Matthew Schumacher: "Re: Can ISC bind do this?"
• Maybe in reply to: Mark-Nathaniel Weisman: "NATD anyone?"
• Maybe reply: Mark-Nathaniel Weisman: "RE: NATD anyone?"
• Reply: Mark-Nathaniel Weisman: "RE: NATD anyone?"

This archive was generated by hypermail 2a23 : Mon Sep 09 2002 - 23:04:32 AKDT