John Clarke wrote: > Hi Shawn, > > I'm no network/security/firewall expert, but provided domains A-D have > distinct ip addresses: with nat/port forwarding enabled on the gateway, > incoming requests can be redirected to a ipaddress+port inside the firewall. > > So in your case, for the 4 domains you would add a total of 3+4+1+3 > redirect rules to your packet filter or iptables config. > > My 0.02 $. I have done this in openbsd, to redirect http requests. But > although it is easy to do, what security nightmare it may pose I'm not > sure. > > Are there any security experts who might care to comment? > > John
Thanks John (and Juan). The problem here is that we have more domains than IP addresses. And the public should not have to worry about using different ports for the usual services. To keep the problem simple, imagine a single external IP address to service all the domains. In this case, the simple forwarding rules no longer do the job. (Though I do agree that this is the right way if we had more IPs...) As for Juan's suggestion of using IPTables directly, I'll have to do some digging. I'm not sure if an IPTable rule based on the requested domain name can be done. (I know it's possible for requested IP/port, or destination IP/Port...) But my initial looking suggests this isn't possible (at least not yet). Shawn _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
