How best to route internal clients to internal web server?

I have the following setup:

an OpenBSD firewall. The only manchine on my network with a real IP.
a Linux server, which provides web (and other) services.
some linux clients.

A request for the web server comes in to the firewall, which NATs and port
forwards it to the internal server.

But clients on the inside cannot cannot use the web server, unless I put
appropriate host entries into the /etc/hosts file, resolving the 'real'
name of the web server to the private IP address.

Thus in /etc/hosts I must have

192.168.128.2 www.xxxx.com spam.xxxx.com
order hosts,bind

otherwise my internal clients cannot find the web server.

Is there a better way to handle this than editing each and every
/etc/hosts on the network?

I run my own dhcp and bind servers, but I don't think I can use bind to
serve up the domain names... ISTR the last time I tried, it wouldn't let
me since I am not authoritative for the domain, and it wreaked havoc with
DNS....

--
use munged address above to email me
SpamTrap DoMeNow@seiner.com

On Mon, 28 Feb 2005 10:04:11 -0800, Captain Dondo wrote:

> I have the following setup:
>
> an OpenBSD firewall. The only manchine on my network with a real IP.
> a Linux server, which provides web (and other) services.
> some linux clients.
>
> A request for the web server comes in to the firewall, which NATs and port
> forwards it to the internal server.
>
> But clients on the inside cannot cannot use the web server, unless I put
> appropriate host entries into the /etc/hosts file, resolving the 'real'
> name of the web server to the private IP address.
>
> Thus in /etc/hosts I must have
>
> 192.168.128.2 www.xxxx.com spam.xxxx.com
> order hosts,bind
>
> otherwise my internal clients cannot find the web server.
>
> Is there a better way to handle this than editing each and every
> /etc/hosts on the network?
>
> I run my own dhcp and bind servers, but I don't think I can use bind to
> serve up the domain names... ISTR the last time I tried, it wouldn't let
> me since I am not authoritative for the domain, and it wreaked havoc with
> DNS....

If you don't mind the internal clients using a different name, you can be
authoritative for your private network. I call mine localnet.prv, so my
webserver would be accessed as www.localnet.prv on the internal network,
while still being www.xxxx.com to the outside world.

Captain Dondo, lun20050228@19:04:11(CET):
>
> A request for the web server comes in to the firewall, which NATs and port
> forwards it to the internal server.

> But clients on the inside cannot cannot use the web server

You're doing destination nat (or whatever is the equivalent in your openbsd
firewall), aren't you? If so, the response is going directly from the web
server to the host originating the request (since the source IP hasn't been
modified). This packet isn't expected by this host, so it drops it.

So you also need to source nat such traffic, in order for the responses to
go through the gateway, who will send them back to the originating host.

If that's not the case, I'm clearly misunderstanding it :).


--
David Serrano

On Tue, 01 Mar 2005 22:25:13 +0000, Hue-Bond wrote:

> Captain Dondo, lun20050228@19:04:11(CET):

> So you also need to source nat such traffic, in order for the responses to
> go through the gateway, who will send them back to the originating host.
>
> If that's not the case, I'm clearly misunderstanding it :).

You understood it better than I.... DUH! It's obvious now that you
explain it....

Now to figure out how to do it with pf, about which I know next to
nothing... Where is that manpage???? :-)

--
use munged address above to email me
SpamTrap DoMeNow@seiner.com

Captain Dondo, mar20050301@23:40:21(CET):
>
> Now to figure out how to do it with pf, about which I know next to
> nothing... Where is that manpage???? :-)

Never used *bsd but googling for "pf source nat" seems appropriate:

http://www.openbsd.org/faq/pf/nat.html

:^P


--
David Serrano

Captain Dondo wrote:
> I have the following setup:
>
> an OpenBSD firewall. The only manchine on my network with a real IP.
> a Linux server, which provides web (and other) services.
> some linux clients.
>
> A request for the web server comes in to the firewall, which NATs and port
> forwards it to the internal server.
>
> But clients on the inside cannot cannot use the web server, unless I put
> appropriate host entries into the /etc/hosts file, resolving the 'real'
> name of the web server to the private IP address.
>
> Thus in /etc/hosts I must have
>
> 192.168.128.2 www.xxxx.com spam.xxxx.com
> order hosts,bind
>
> otherwise my internal clients cannot find the web server.
>
> Is there a better way to handle this than editing each and every
> /etc/hosts on the network?
>
> I run my own dhcp and bind servers, but I don't think I can use bind to
> serve up the domain names... ISTR the last time I tried, it wouldn't let
> me since I am not authoritative for the domain, and it wreaked havoc with
> DNS....
>

I'd put dnsmasq as internal network DNS server / cache
into the Linux gateway host, and put the internal
web server name into the /etc/hosts file of the gateway.

Point all clients DNS entries to the router, and you're done.

--

Tauno Voipio
tauno voipio (at) iki fi