Charles Steinkuehler wrote:
>
> > > Just port-forward the service from the public IP of the firewall (the
> near
> > > end IP of the T1 link). The reverse masqerade rules will do the right
> > > thing, and everything should work fine. There are also hooks in place
> to do
> > > this already, so no custom forwarding and static-NAT rules, making the
> > > system easier to maintain. The public IP of the server system will fall
> > > outside the DMZ range, but unless your customer has their own IP range
> > > (unlikely, since you mentioned it's a /26), they're using 'borrowed'
> IP's
> > > from the ISP anyway...might as well make effective use of ALL the IP's
> > > you've been given, and save yourself some trouble in the process...
> >
> > If DNS can be setup -- on the customer's side -- to point
> > server.customer.com to and address in ISP.com's domain, then this
> > appears straightforward.
> >
> > Is this what you're suggesting?
>
> Yes. Remember, you typically have full control over forward lookups in
> yourdomain.com. So I could (for instance) point lrp.steinkuehler.net to
> www.whitehouse.gov, if I really wanted to. Your DNS server just translates
> arbitrary names in the domain you lease from the IANA to IP addresses...you
> control what IP addresses you want to map to various names.
Our concern is about forward lookup of an address from outside of
customer.com domain, using a name from within that domain and within our
domain configuration ;>
> That being said, you may or may not be able to create a reverse DNS entry,
> although this shouldn't be too much of a problem. Your ISP 'owns' the IP
> range you're using (likely the range for both the point-point T1 and the /26
> subnet they route to you). You'll have to talk to their DNS guru if you
> want reverse lookups of your IP's to say something other than their default
> (typically something like <ip>.city.bigisp.com).
This, too, is a legitimate concern.
> In general, as long as your ISP is actually running a valid reverse DNS for
> your IP range (lots of things will time out & cause delays if your IP
> doesn't reverse resolve), you probably don't need to worry about the reverse
> lookups...
To us, being in control and truly managing our domain necessitates doing
so from within our DNS configuration. We find that we can do our job
most reliably if we only require the ISP to forward to our domain from
within their upstream DNS. Although, many ISP's are eminently
competent, it is becoming all too common for us to bump into
incompetently setup DNS - especially those run from wintel ;<
Actually, we did this:
wan1_IP_EXTRA_ADDRS="x.y.z.65"
and, without any DMZ, we get what we want. Actually, going to the
Internet from the internal, private network, we appear to the Internet
as a.b.c.157, which does not appear to be any conceivable issue.
Most importantly, when we do http://x.y.z.65/ from a remote Internet
site, we can get to our port-forwarded internal server !!!
This is what our customer wants, so we are pleased.
The confusion stems from doing this:
wan1_IP_EXTRA_ADDRS="x.y.z.64/26"
Although this is accepted by ipchains, only x.y.z.64 is pingable from
the Internet; but, as the network itself, we couldn't get to anything,
port-forwarding or not.
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
----------------------------------------------------
Sign Up for NetZero Platinum Today
Only $9.95 per month!
http://my.netzero.net/s/signup?r=platinum&refcd=PT97
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
