port forwarding
Nikolay A. Fetisov
email hidden
Wed Jul 23 13:48:29 CEST 2008
On Tue, 22 Jul 2008 15:32:49 -0700
Gary Koskenmaki wrote:
> ...
> I have a test lab in which I use fiaif for the gateway firewall, an
> apache server, and a workstation. I have set up fiaif to port forward
> www traffic to the apache server and that works fine from any non-local
> IP address. However, I have a problem reaching the apache server
> through the gateway from the workstation. .... My best guess is that fiaif is
> denying my access to the web server because it's having trouble
> forwarding traffic from EXT that originates in INT back into INT.
No, forwarding (i.e. DNAT) is working perfectly in this case. Problem
is in the network topology.
Workstation and apache server are both in the same LAN, and gateway only
_forward_ packets - by replacing destination address.
When workstation tries to send request to the apache server, it send
packets to the external gateway IP. And gateway redirect them to the
apache server. And apache server answers - to the workstation.
But packets with answers goes directly to the workstation - not
through gateway.
So workstation send requests to the _gateway ip_, but receives answers
from the _apache server_.
> Would
> moving the web server over to the DMZ zone fix this problem?
Yes, if this avoids direct route from apache server to the workstation.
Or You can setup internal DNS server to provide direct apache server's
IP to the LAN.
Or You can setup TCP proxy on gateway.
--
Best regards,
Nikolay Fetisov
More information about the fiaif
mailing list