"Ejvind, Kristian" schrieb:
> > Then create the NAT rules
> >
> > Original Translated
> > Source / Destination / Service --> Source / Destination / Service
> > --------------------------------------------------------------
> > -----------------
> > Any / ext-fw / pop3 --> Original / int_pop / Original
> > Any / ext-fw / smtp --> Original / int_smtp / Original
> > Any / ext-fw / http --> Original / int_www / Original
>
> Would you mind describing the hard part as well?
>
> Exactly how do you setup your routing table on the firewall?
>
> *evil grin*
That's easy:
route add 1.1.1.1 22.22.22.22
Where 1.1.1.1 is the NATed "universal server" address (above described as EXT-FW)
and 22.22.22.22 the address of the router between the FW and the internal servers.
Maybe you will have to add the necessary entries to your ARP table manually.
*innocent babyface* ;-)
Another minimal solution: build a DMZ, place a "universal server" there with a
proper configured RINETD or XINETD + REDIR installed which forwards the
connections to the diversified internal servers. This will have the advantage that
you do not have to have an internal router - and the IP stream is broken up so
IP-level attacks (false fragmentation etc.) will be stopped in the DMZ. Okay, could
be made with an internal server, too...
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
