I don't think that this solves anything. Because the internal clients are on the PRO and the Apache server is on the PSN, requests from the internal clients are still going to be NAT'd to the GNAT Box PSN address, regardless of where they did the DNS lookup or whether the Apache server can do a reverse lookup on the client's address.
The only way for the Apache server to see the "real" IP address that the request is coming from would be to enable IP Passthrough between the PRO and the PSN. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Simon Delicata [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 12, 2002 12:12 PM > To: GNATBox Mailing List > Subject: RE: [gb-users] Tunnel to PSN seems to always hide > source address > > > > Matthew, > > You are right with what you say on your internal clients > appearing to be > coming from the GB internal IP. I have a way around this. My > suggestion is > to create a different "view" of the DNS domain to which the > apache server > belongs, for internal clients. > > The way I've done this is to have two copies of ISC bind > running on one > machine, with two different configs, and two different sets > of DNS tables. > The bind for external viewing is setup to listen on a > non-standard port > (5353 for example), and the DNS queries from external IP's > are tunnelled > (UDP only) from port 53 of the external IP of the GB through > to port 5353 > on the internal machine. The internal clients are configured > to query the > internal DNS IP, and as such, get the "internal" view of the domain. > It also means I can run Dynamic DNS updates quite securely. > > I hope this makes sense. > > Simon Delicata > > > > > > > "Matthew Underwood" > > > <matthew.underwood@ To: > "GNATBox Mailing List" <[EMAIL PROTECTED]> > > jemmac.com> cc: > > > Subject: > RE: [gb-users] Tunnel to PSN seems to always hide source > address > 12/06/2002 14:49 > > > > > > > > > > > > > In reply to my own query about source addresses being logged > by an apache > server in our PSN always showing the IP address of the PSN interface > regardless of the state of the 'hide source address' checkbox on the > tunnel. > > > Some progress on this front... > > Apache is now logging the real source IP address of requests > that come in > via the External interface, but is still logging the gateway > address for > requests that come via the Protected interface. > > Since I was only really concerned with logging IPs of > cracking attempts > from the outside world this is fine. > > I'm assuming the gateway interface being logged for protected > interface > accesses is something to do with protected interface accesses > being NAT'ed. > > Thanks to Bob Reasoner for his suggestion that the 'Hide > Source Address' > changes didn't take affect until the filters had been > updated. This seems > to bear out as until I made some changes earlier today ALL IP > addresses > were being logged as the gateway address. > > So, I guess there's no query anymore.. Unless someone wants > to confirm my > suggestion about connections from the protected interface > being NAT'ed. > > Cheers, > > Matt. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archive of the last 1000 messages: > http://www.mail-archive.com/[email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
