On Sun, 2002-07-21 at 15:51, Tom Eastep wrote: > On 20 Jul 2002, Stephen Lee wrote: > > > Hi, > > > > What is the Shorewall equivalent of port-forwarding to a private address > > DMZ as described in Dachstein? I only have 2 public static IPs so proxy > > arp and static NAT DMZ would appear to be out of the question. I can go > > as far as adding a second (eth2) internal private segment and getting it > > to work via masquerading but how do I get the eth1 private segment to > > see the DMZ (eth2) via the external ip address? Sorry if I missed this > > description in the Shorewall docs. > > > > That's FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1
My interpretation is that FAQ #1 addresses the needs of portforwarding to the private subnet (eth1) but it does not address access from the private net to the DMZ. FAQ #2 does answer the question and I discovered this as outlined in a subsequent message. In Dachstein, the documentation (network.txt) is more explicit about defining a "Private DMZ" which is masquerading plus some extra rules to allow for access to the DMZ from the private subnet. IMHO, this bit of glue logic doesn't seem to be obvious in the Shorewall (1.2) docs but is found in the FAQ. I would like to suggest including a brief description of the private DMZ segment example in the section on masquerading (or DMZ or snat) which references the need for Bind views or a split horizon Tinydns setup (perhaps links to FAQ #2?). On the whole though, the documentation is excellent and I certainly appreciate the amount sweat required to produce it. Thanks, Stephen ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html