I keep wondering if something like the following will work
(Ben: it's TOO obvious; what glaring hole did I miss?)
Using 10/8 addresses to avoid stepping on someone's real IP
Internet
ISP1
|
ext(10.11.11.1)
FW1
int(10.1.0.1)
|
+----+ WWW
| | eth0:1 (10.1.0.5)
| | eth0:2 (10.2.0.5)
|
int(10.2.0.1)
FW2
ext(10.22.22.1)
|
ISP2
Internet
WWW route table
host 10.1.0.5 eth0:1
host 10.2.0.5 eth0:2
net 10.1.0.0 eth0:1
net 10.2.0.0 eth0:2
default gw 10.1.0.1 eth0:1
default gw 10.2.0.1 eth0:2
FW1 routes inbound HTTP requests to 10.1.0.5 (NAT)
FW2 routes inbound HTTP requests to 10.2.0.5 (NAT)
Q1: Will HTTP server respond using same 10.x.0.5 address as request?
Q2: If so, will 10.2.0.5 response go out 10.2.0.1?
DNS includes
www IN A 10.11.11.1
www IN A 10.22.22.1
DNS should supply www address in round-robin
Ideally you would have a block of external addresses so that the WWW address would not
be the same as the FW address and, instead of using PAT, you could use static NAT (or
even pass-through).
>Sorry for the lengthy message and cross-posting to ipfilter list. Please
>bear with me :-)
>
>OK, let me re-phrase my situation in more details...
>
>Consider the following (I omit routers in between):
>
> Internet Internet
> | |
> | |
> ISP1 ISP2
> | |
> | |
> FW1 FW2
> | |
> | |
> ---+----+------+------+-----+---
> | | |
> | | |
> WWW DNS SMTP
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
