On Tue, May 28, 2002 at 07:43:42PM -0400, Ramin Alidousti wrote: >On Tue, May 28, 2002 at 07:07:38PM -0400, George Georgalis wrote: > >> A nice benefit will be the ease of running an IDS on the firewall. (not >> that it wouldn't be easily circumvented ...I using a configurable >> switch so no help there) >> >> A mention of dropping the route to LAN on internal machines, leaving >> the gw, and adding a forward chain on the firewall would be nice in >> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html > >Most of the time you don't want all your (local) traffic to flow through >the firewall and back (generating tons of ICMP redirects). Another reason >for that would be that this solution might only work for the single subnet >topology and not when you have several internal subnets. > >The solution provided by Rusty in that web page is the general, elegant >solution. >
I guess I'm trying to get everything... I want the destination to know the client IP whether it came from the LAN or internet. and I want clients on the LAN to test the hosts as if they were on the internet (eg same ports as seen from the internet). Me thinks; since I'm already using source based dns, I could just reference them by name and forward the proxy ports to the actual ports on_each_host, then they would work, and log everything correctly too. :) // George -- GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 Security Services, Web, Mail, mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george
