I keep wondering if something like the following will work
(Ben: it's TOO obvious; what glaring hole did I miss?)

Using 10/8 addresses to avoid stepping on someone's real IP

Internet
ISP1
 |
 ext(10.11.11.1)
FW1
 int(10.1.0.1)
 |
 +----+ WWW
 |    | eth0:1 (10.1.0.5)
 |    | eth0:2 (10.2.0.5)
 |
 int(10.2.0.1)
FW2
 ext(10.22.22.1)
 |
ISP2
Internet

WWW route table
 host 10.1.0.5 eth0:1
 host 10.2.0.5 eth0:2
 net 10.1.0.0 eth0:1
 net 10.2.0.0 eth0:2
 default gw 10.1.0.1 eth0:1
 default gw 10.2.0.1 eth0:2

FW1 routes inbound HTTP requests to 10.1.0.5 (NAT)
FW2 routes inbound HTTP requests to 10.2.0.5 (NAT)

Q1: Will HTTP server respond using same 10.x.0.5 address as request?
Q2: If so, will 10.2.0.5 response go out 10.2.0.1?

DNS includes
 www  IN A  10.11.11.1
 www  IN A  10.22.22.1

DNS should supply www address in round-robin

Ideally you would have a block of external addresses so that the WWW address would not 
be the same as the FW address and, instead of using PAT, you could use static NAT (or 
even pass-through).

>Sorry for the lengthy message and cross-posting to ipfilter list. Please
>bear with me :-)
>
>OK, let me re-phrase my situation in more details...
>
>Consider the following (I omit routers in between):
>
>     Internet                 Internet
>         |                        |
>         |                        |
>        ISP1                     ISP2
>         |                        |
>         |                        |
>        FW1                      FW2
>         |                        |
>         |                        |
>      ---+----+------+------+-----+---
>              |      |      |
>              |      |      |
>             WWW    DNS    SMTP

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to