httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject RE: [users@httpd] NATD
Date Mon, 02 Sep 2002 09:20:49 GMT


On Mon, 2 Sep 2002, Mark-Nathaniel Weisman wrote:

>   My firewall is a FreeBSD box running internal IPFW and NATD from the
> kernel. My goal is to route only a singular domain name to the second IP

Since the FreeBSD firewall/nat software does not look 'inside' the TCP
connection you will somehow need to distinguish connections coming from
the outside as to be able to route them to the right inside IP.

This could be done by having two outside IP addresses, one outside address
with theo ports (e.g. 80 and 88), etc, etc.

But if there is just one outside address and just one outside port then
you will have to use NameBased virtual hosting and have all your external
servers visible onto one internal port.

There is little security issue with that as you can specify the right
allow from by IP range; and for example put a line like

	deny from all
	allo from 10.0.0/24

for your internal servers (assuming 10.0.0.0 netmask 255.255.255.0 is your
internal network).

Or you could hire someone with the right background to help you route on
the firewall or on nat level or use a (reverse) proxy on the firewall. But
that gets very complexy very quickly.

Dw



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message