Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Re: enable HTTP traffic for 1 PC

2 views

Skip to first unread message

Mysterious

unread,

Nov 17, 2009, 7:10:15 AM11/17/09

On 11/12/2009 01:36 PM, tcsabina wrote:
>
> We have the following BM setup:
>
> - 2 NIC in the BM server (private, public IP).
> - HTTP proxy configured on the BM server, and LAN machines can only go
> out through the proxy.
>
> I have to enable 1 single machine to go out without the proxy. Which
> src/dst inerfaces and ports should I have to define in the filter
> exceptions? I guess I need 2 rules, one for outgoing, and one for the
> reply, right?
>
>

Hi Tamas

1. First, you'll have to enable dynamic nat on the public interface of
the bm server
2. Then depending what traffic you want to allow thru, the protocol on
the filter will change.
3. Source interface will be private and destination will be public
4. Source ports will be dynamic ones, 1024-65535. Source ip will be the
pc on the inside. If it is using dynamic ip then you will have a a
problem as you will not be able to use src ip
5. Destination port will be depending the traffic you want to allow
6. Destination address will be all
7. Enable Stateful filter so you only need one exception.

Craig Johnson

unread,

Nov 18, 2009, 10:21:07 AM11/18/09

In article <tcsabin...@no-mx.forums.novell.com>, Tcsabina wrote:
> I have to enable 1 single machine to go out without the proxy. Which
> src/dst inerfaces and ports should I have to define in the filter
> exceptions? I guess I need 2 rules, one for outgoing, and one for the
> reply, right?
>

What is it you need to do?

Does that machine have a fixed IP? If not, you will have problems. If
so, you can allow it out with NAT, but you could also allow it out via
proxy without having to have it authenticate if that works better for
you.

As Mysterious said, enable dynamic NAT on the public IP address. (You
need to be sure your default filtering is working - see tip #13 at the
URL below).

If you have a simple situation of a single host with fixed IP address,
do what Mysterious said, and you can use the built-in www-http-st
filter definition for your filter exception. But if you don't have a
fixed IP address, adding such an exception would allow anyone to bypass
the proxy.

You will also need to have DNS capability for that host if it is not
using the proxy. This might mean adding another filter exception
(private to public, dns-udp-st).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

0 new messages