Re: [leaf-user] Portforward to a private address DMZ in Bering RC2
On 20 Jul 2002, Stephen Lee wrote: > Hi, > > What is the Shorewall equivalent of port-forwarding to a private address > DMZ as described in Dachstein? I only have 2 public static IPs so proxy > arp and static NAT DMZ would appear to be out of the question. I can go > as far as adding a second (eth2) internal private segment and getting it > to work via masquerading but how do I get the eth1 private segment to > see the DMZ (eth2) via the external ip address? Sorry if I missed this > description in the Shorewall docs. > That's FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1 -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Portforward to a private address DMZ in Bering RC2
On Sun, 2002-07-21 at 15:51, Tom Eastep wrote: > On 20 Jul 2002, Stephen Lee wrote: > > > Hi, > > > > What is the Shorewall equivalent of port-forwarding to a private address > > DMZ as described in Dachstein? I only have 2 public static IPs so proxy > > arp and static NAT DMZ would appear to be out of the question. I can go > > as far as adding a second (eth2) internal private segment and getting it > > to work via masquerading but how do I get the eth1 private segment to > > see the DMZ (eth2) via the external ip address? Sorry if I missed this > > description in the Shorewall docs. > > > > That's FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1 My interpretation is that FAQ #1 addresses the needs of portforwarding to the private subnet (eth1) but it does not address access from the private net to the DMZ. FAQ #2 does answer the question and I discovered this as outlined in a subsequent message. In Dachstein, the documentation (network.txt) is more explicit about defining a "Private DMZ" which is masquerading plus some extra rules to allow for access to the DMZ from the private subnet. IMHO, this bit of glue logic doesn't seem to be obvious in the Shorewall (1.2) docs but is found in the FAQ. I would like to suggest including a brief description of the private DMZ segment example in the section on masquerading (or DMZ or snat) which references the need for Bind views or a split horizon Tinydns setup (perhaps links to FAQ #2?). On the whole though, the documentation is excellent and I certainly appreciate the amount sweat required to produce it. Thanks, Stephen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Portforward to a private address DMZ in Bering RC2
On 21 Jul 2002, Stephen Lee wrote: > On Sun, 2002-07-21 at 15:51, Tom Eastep wrote: > > > > > > > That's FAQ #1 -- http://www.shorewall.net/FAQ.htm#faq1 > > My interpretation is that FAQ #1 addresses the needs of portforwarding > to the private subnet (eth1) but it does not address access from the > private net to the DMZ. Sorry -- I've been away for the weekend and was too hasty in reading your post. > FAQ #2 does answer the question and I discovered > this as outlined in a subsequent message. In Dachstein, the > documentation (network.txt) is more explicit about defining a "Private > DMZ" which is masquerading plus some extra rules to allow for access to > the DMZ from the private subnet. IMHO, this bit of glue logic doesn't > seem to be obvious in the Shorewall (1.2) docs but is found in the FAQ. > I would like to suggest including a brief description of the private DMZ > segment example in the section on masquerading (or DMZ or snat) which > references the need for Bind views or a split horizon Tinydns setup > (perhaps links to FAQ #2?). On the whole though, the documentation is > excellent and I certainly appreciate the amount sweat required to > produce it. > Thanks for the suggestion -- my current focus is to improve the documentation and I welcome your input. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html