[Leaf-devel] Routing Headaches

Wed, 21 Feb 2001 17:28:30 -0500 (EST) 

I always seem to find my way into funny configurations.... sigh.... and
find myself getting headaches because of it.  I'll probably wind up
changing the configuration anyway, but here it is:

*************             ****************
*  DNS/NTP  *             *   Server 3   *
*************             ****************
      |                           |
      +------- Private Net -------+
      |                           |
*************             ****************
*  Server 1 *             *  Oxygen/LRP  *
*************             ****************
      |                           |
------+------- Corp Net ----------+-------
      |                           |
*************             ****************
*  My Wstn  *             *  DBA Wstn    *
*************             ****************


Server 1 (and three others like it not shown) do *NOT* route, and have
ip forwarding turned off (they are HP-9000s).  The LRP box does routing
and firewalling.

The problems I'm having one by one don't seem to be a big deal; add them
all up and they add up to a BIG headache.  Here are the "rules":

MyWstn -> PrivateNet: UnrestrictedAccess
DBAWstn-> Server3: UnrestrictedAccess

Those aren't too hard.  The more difficult part is that the Oxygen/LRP
took the place of the DNS/NTP server listed above (and includes syslog
and ssh too).  So I want to do this:

CorpNet NTP -> Oxygen -> NTP
CorpNet NTP <- Oxygen <- NTP

The headache comes in that I'm using this rule:

ipchains -A forward -j MASQ

So the firewall gets two packets:

CorpNet -> Corp-ServerIP ..........redirected to protected server
DNS/NTP-IP -> CorpNet .............response...

On top of all this, I'm trying to build a sort of toolkit that will help
myself and others do this easily.

On top of all that, this means that there are "servers" on the
firewall.  The way I see it, there's about a million boundaries:

WildNet -> firewall
firewall -> WildNet
TameNet -> firewall
firewall -> TameNet
WildNet -> TameNet  ...this is actually WildNet -> firewall -> TameNet
(two crossings!)
TameNet -> WildNet  ...this is actually TameNet -> firewall -> TameNet
(two crossings!)

Now add in forwarding - and maybe redirection - and that can triple all
of these.

How do you all handle such things and other very strange configurations
without losing your MIND?

...or do you just reconfigure the net :-)

_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to