At 04:51 PM 6/2/00 , you wrote:
>On Fri, 2 Jun 2000, Alan Mead wrote:
>
> > >external host with the same IP as a server on the inside requests
> > >something from the inside host, it gets through fine, and receives an
> > >answer fine due to the way the PIX does the translation.
> >
> > When you say "determine internal and external traffic by the address" you
> > lose me. It's entirely possible that a local host and a remote host are
> > both using the same IP, right? So for those few remote hosts that share
>
>Yes, that is possible. However, the requests are being made to my
>external address, not my internal one. So, theoretically (highly!), I
>should be able to tell that the request was for my external. However,
>I'm not familiar enough with the translation rules of the firewall.
As far as I know, you can distinguish interface (but you have only eth0,
right?), chain (input, output, etc.) IP, port, service, etc. IP is a
natural choice but by the time the packet hits your eth0 it looks
internal. I think that catching this at the border would be easy but I
don't think it will work internally.
If you have an IP for the webserver, you could just put it outside the
firewall and seal everything except 80 and 22. There are a few other
packets that should get through, I think. But then you would have very
limited access to your peers on the LAN.
-Alan
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.