Charles Steinkuehler wrote: > > > Here's the issue: > > > > a.b.c.156/30 wan network (domain: ISP.com) > > a.b.c.157 local wan address (wan1) > > a.b.c.158 remote wan address (peer) > > x.y.z.64/26 public ip block (domain: customer.com) > > x.y.z.64/26 dmz network > > This is a normal 'routed' type of DMZ. > > > For example, when I ssh out to somewhere on the Internet from > > 192.168.1.101 and invoke `w' I see that I am FROM a.b.c.157. > > > > This is OK for most situations, because all network traffic, originating > > from the Internet, through the firewall should have destination on the > > dmz. > > > > However, what if I want to run ftpd on 192.168.1.101 and I want users to > > use ftp://myhost.customer.com, *not* by ip or myhost.ISP.com ??? > > > > Yes, I know about port forwarding, &c. > > > > *HOW* can I take one (1) address out of x.y.z.64/26, let's say x.y.z.72, > > and have that address also bound to wan1? > > It's tricky, and I haven't actually needed to do it yet... > > The easy part is port-forwarding (from the DMZ interface of the router in > this case)...the hard part is reverse masqerading the packets and giving > them the public IP of the DMZ interface instead of the external interface. > I'm not sure this is possible with ipchains (it is with iptables). > > You may have to static-NAT one of your internal machines into the DMZ to get > this to work properly, which is an even worse idea than port-forwarding > traffic to your internal net, which is already a pretty bad idea. > > Can you perhaps describe exactly what you're trying to get working, and > perhaps there's a better network architecture (ie safer & easier to > impliment) to do what you want. You can e-mail me directly if this is > sensitive info you don't want on-list...
We have a client that insists on exposing a critical internal server to the Internet ;< They want their internal application and file server to also host their Exchange server and -- god help us all -- possibly IIS, as well ;< I didn't feel so bad when considering the server's masq'd address can only be accessed from the Internet insofar as we port forward to it. Actually, they asked us to put this server on the dmz ;> So, for the Internet to find this server via DNS on the customer's domain, how else might we accomplish this? What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
