Problem with https in NAT

This is a multi-part message in MIME format.

------_=_NextPart_001_01C8998E.4166C3DE
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello good people,

=20

This is my first post to the list after scratching my head for hours. I
am also new to this list, so please welcome me with a good solutionJ

Below are my NAT rules on a FreeBSD box which acts as "everything"
(router, firewall, proxy, etc):

=20

# bge0 =3D extif, bge1 =3D intif

# First we let this machine access itself

# Redirect local direct web traffic to local web server.

rdr bge1 192.168.1.1/32 port 80 -> 192.168.1.1 port 80 tcp

rdr bge1 192.168.1.1/32 port 443 -> 192.168.1.1 port 443 tcp

=20

# Redirect everything else to squid on port 3128

# These redirection rules are to force users on the LAN

# to go through Squid cache on localhost

rdr bge1 0.0.0.0/0 port 80 -> 192.168.1.1 port 3128 tcp

=20

# Also all SMTP Connections must go via localhost

rdr bge1 0.0.0.0/0 port 25 -> 192.168.1.1 port 25

=20

# These rules do ftp proxy for gateway machine and LAN!!!

=20

#This rule handles the FTP traffic from the gateway:

map bge0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp

=20

#This rule will handle all the traffic for the internal LAN:

map bge0 192.168.1.0/24 -> 0/32 proxy port 21 ftp/tcp

=20

# Now map the rest..=20

map bge0 from 192.168.1.0/24 ! to 192.168.1.0/24 -> 0/32 portmap tcp/udp
auto

map bge0 from 192.168.1.0/24 ! to 192.168.1.0/24 -> 0/32

=20

=20

Now, my problem is just one. I want to comment out those last two
portmap rules so that this machine is NOT quite an open gateway.

When I do that, browsing of http sites work okay, but https (gmail.com,
yahoomail.com) sites fail, and the error on IE (dammit!) is like

DNS has failed!

=20

How do I get https to work through these rules, with the last portmap
rules disabled?

=20

=20

=20

Regards,

=20

--=20

=20

-Odhiambo WASHINGTON


------_=_NextPart_001_01C8998E.4166C3DE
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
..MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal>Hello good people,<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>This is my first post to the list after scratching =
my head
for hours. I am also new to this list, so please welcome me with a good
solution<span style=3D'font-family:Wingdings'>J</span><o:p></o:p></p>

<p class=3DMsoNormal>Below are my NAT rules on a FreeBSD box which acts =
as “everything”
(router, firewall, proxy, etc):<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal># bge0 =3D extif, bge1 =3D intif<o:p></o:p></p>

<p class=3DMsoNormal># First we let this machine access =
itself<o:p></o:p></p>

<p class=3DMsoNormal># Redirect local direct web traffic to local web =
server.<o:p></o:p></p>

<p class=3DMsoNormal>rdr bge1 192.168.1.1/32 port 80 -&gt; 192.168.1.1 =
port 80
tcp<o:p></o:p></p>

<p class=3DMsoNormal>rdr bge1 192.168.1.1/32 port 443 -&gt; 192.168.1.1 =
port 443
tcp<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal># Redirect everything else to squid on port =
3128<o:p></o:p></p>

<p class=3DMsoNormal># These redirection rules are to force users on the =
LAN<o:p></o:p></p>

<p class=3DMsoNormal># to go through Squid cache on =
localhost<o:p></o:p></p>

<p class=3DMsoNormal>rdr bge1 0.0.0.0/0 port 80 -&gt; 192.168.1.1 port =
3128 tcp<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal># Also all SMTP Connections must go via =
localhost<o:p></o:p></p>

<p class=3DMsoNormal>rdr bge1 0.0.0.0/0 port 25 -&gt; 192.168.1.1 port =
25<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal># These rules do ftp proxy for gateway machine and =
LAN!!!<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>#This rule handles the FTP traffic from the =
gateway:<o:p></o:p></p>

<p class=3DMsoNormal>map bge0 0.0.0.0/0 -&gt; 0/32 proxy port 21 =
ftp/tcp<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>#This rule will handle all the traffic for the =
internal LAN:<o:p></o:p></p>

<p class=3DMsoNormal>map bge0 192.168.1.0/24 -&gt; 0/32 proxy port 21 =
ftp/tcp<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal># Now map the rest.. <o:p></o:p></p>

<p class=3DMsoNormal>map bge0 from 192.168.1.0/24 ! to 192.168.1.0/24 =
-&gt; 0/32
portmap tcp/udp auto<o:p></o:p></p>

<p class=3DMsoNormal>map bge0 from 192.168.1.0/24 ! to 192.168.1.0/24 =
-&gt; 0/32<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>Now, my problem is just one. I want to comment out =
those
last two portmap rules so that this machine is NOT quite an open =
gateway.<o:p></o:p></p>

<p class=3DMsoNormal>When I do that, browsing of http sites work okay, =
but https
(gmail.com, yahoomail.com) sites fail, and the error on IE (dammit!) is =
like<o:p></o:p></p>

<p class=3DMsoNormal>DNS has failed!<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal>How do I get https to work through these rules, =
with the
last portmap rules disabled?<o:p></o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.5pt;font-family:"Century Gothic","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:10.5pt;font-family:"Century Gothic","sans-serif";
color:#1F497D'>Regards,<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:8.0pt;font-family:"Century =
Gothic","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:8.0pt;font-family:"Century =
Gothic","sans-serif";
color:#1F497D'>-- <o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:8.0pt;font-family:"Century =
Gothic","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'font-size:8.0pt;font-family:"Century =
Gothic","sans-serif";
color:#1F497D'>-Odhiambo WASHINGTON<o:p></o:p></span></p>

</div>

</body>

</html>

------_=_NextPart_001_01C8998E.4166C3DE--