> Ola Theander <[EMAIL PROTECTED]> wrote:
> >
> > Internet addresses Internal addresses
> >
> > 196.13.12.105 -----------| <-> |-------- 10.0.0.5 web
> > server 1
> > 196.13.12.106 -----------| <-> |-------- 10.0.0.6 web
> > server 2
> > 196.13.12.107 -----------| <-> |-------- 10.0.0.7 ftp server
> > 196.13.12.108 -----------| <-> |-------- 10.0.0.8 smtp server
> > |__ __|
> > External NIC 196.13.12.110 | | 10.0.0.10 Ip-address of
> > internal NIC
>
> This should be workable. You will use ip-aliasing to create several
> virtual interfaces on your firewall's external NIC (so that it will
> respond to each of the listed external networks). Then, create a tight
> set of firewall rules to restrict most traffic that comes in from those
> aliased IP addresses. Use "ipportfw" to redirect the valid traffic from
> each IP address to the corresponding internal web server.
>
> Sounds easy, right? :)
>
Well I don't think so. Mind the oddities of FTP. Transfering data
will only work with port mode where your FTP server initiates the data
connection from port 20. Passive mode means the data connection is initiated
by the FTP client from an arbitrary port to an arbitrary port of your FTP
server (your firewall in your case). I bet you won't allow those
connections? But so a lot FTP clients (Communicator, IE) won't work.
Am I right?
Markus
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
