[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mail and Web server with the same IP on different machines

To: Diego Rodrigo Neufert <diego@magicwebdesign.com.br>,"Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: Mail and Web server with the same IP on different machines
From: Nick Holland <nick@holland-consulting.net>
Date: Fri, 26 Jan 2001 12:22:24 -0500
References: <01012317401807.01138@belzebu.magicwebdesign.com.br> <3A6E1554.E9D99DA3@holland-consulting.net> <01012409270809.01138@belzebu.magicwebdesign.com.br>

Sorry for the delay in responding...

Diego Rodrigo Neufert wrote:
> 
> I dont want to use NAT because with it I need to be changing the firewall
> machine every time.

I don't understand... changing the firewall machine every time?  

You don't have a lot of choice in the matter of NAT.  You ask for two
machines accessed by the same IP.  This is not directly possible with
IP -- each machine on a subnet has to have a unique IP number.  You
HAVE to have some kind of Network Address Translation in place to do
this (right?  Or am I missing something?).

> Want I want to do is this:
> Firewall - no IP. it's a bridge
> Mail Server - x.x.x.5
> Web Server x.x.x.6-255 ( it's because I have a lot of domains here)
>
> Put a firewall (2 NICs) machine with bridge to hide the firewall from the
> world,
> Any packet passing trought the firewall NICs with a destination to
> x.x.x.6-255 on port 110 or 25 get redirected to x.x.x.5

I don't think it works this way.
You are trying to do transparent NAT (the redirection) on a bridging
firewall.  I don't think that works.

General hint:  Transparent firewalls are great to clean up a bad
design, but if you are using them for your initial design, there is
often (usually?  almost always?) a better way. 

hmmm...I wonder if (on a conventional firewall):
 rdr fxp0 x.x.x.0/24 port 110 -> 192.168.1.5 port 110
would work to route all port 110 traffic on the x.x.x. network to
192.168.1.5?  A quick look at the IPF-Howto files seems to indicate it
would.

As far as I know (and I believe this is what I took out of the
IPF-Howto) with redirection and IPF, the destination HAS to be on a
different subnet than the incoming port, you have to use Network
Address Translation.

> *Note that the packet to be redirected dont need to have their destination
> pointing to a NIC on the firewall machine, any packet passing troght the
> bridge should be redirected....

I have not found any reference to redirection and bridging in the
IPF-Howto.    http://www.obfuscation.org/ipf/ipf-howto.txt
On the other hand, I haven't spent hours working on it, either.  8-)

I don't think your design is optimal here.  Perhaps if you shared with
us your GOALS rather than just the tools you think achieve your goals
-- keep in mind, you may not have knowledge of all the options under
OpenBSD.  It sounds like a poorly written piece of software (your
tracking system) is causing you some bad network design...  It is a
fact of life that many E-mail systems and web servers are NOT on the
same physical machine and physical IP address, the 'net is designed
around this.  I'd even go slightly out on a limb to say that this is
true in most but the smallest sites.  If your software is designed
only for small sites, I really question why it should be used when you
have "lots of domains" to track.  Again, let the list know what your
goals are here, maybe someone knows of better software to use.

Nick.

> If it's not clear just ask me more....
> 
> Thanks
> 
> On Tuesday 23 January 2001 09:35 pm, Nick Holland wrote:
> > Two ways I can think of (o.k., one way with a minor variant) :
> >
> > 1) Use a third OpenBSD box as a "firewall" system, use IPNAT to route
> > the mail traffic to the mail machine, and the web traffic to the web
> > machine (using rdr).
> >
> > 2) Put (for example) the mail server directly on the 'net, and use
> > IPNAT (and rdr) on that box to route web traffic to another machine
> > attached via a second NIC.
> >
> > Using rdr options with ipnat allow you to route packets addressed to
> > certain ports to certain machines behind the NAT.  See the Networking
> > FAQ for more info.
> >
> > If the machines are really so heavily loaded that you need two
> > machines, you would probably prefer the first option.  Another
> > advantage is that you can do major maintenance (i.e., take it down) on
> > either server without affecting the other.
> >
> > Nick.
> >
> > Diego Rodrigo Neufert wrote:
> > > Hi,
> > >
> > > I want to separate my mail and web servers on two diferent machines but I
> > > cant give another IP addr to the mail server because I have lots of
> > > domains here and my statistics system need the booth IPs (Web and Mail)
> > > to be the same.
> > >
> > > I have a clue on this in linux with Advanced Routing....
> > >
> > > Any ideas to do this in OBSD?
> > >
<sigs snipped to slightly reduce message size>
-- 
http://www.holland-consulting.net/

References:
- Mail and Web server with the same IP on different machines
  - From: Diego Rodrigo Neufert <diego@magicwebdesign.com.br>
- Re: Mail and Web server with the same IP on different machines
  - From: Nick Holland <nick@holland-consulting.net>
- Re: Mail and Web server with the same IP on different machines
  - From: Diego Rodrigo Neufert <diego@magicwebdesign.com.br>

Prev by Date: Re: Why isn't . in the path? (Was: nmbd problems...)
Next by Date: Re: Why isn't . in the path? (Was: nmbd problems...)
Prev by thread: Re: Mail and Web server with the same IP on different machines
Next by thread: ICP Vortex
Index(es):
- Date
- Thread