> > I haven't played with this much, but one of the things on the list of
stuff
> > to "play with one of these days" is using redirect to provide for an
> > 'internal server' machine, similar to the way the low-end firewall boxes
do.
> > I *think* this would work properly for everything from game servers to
VPN
> > access, although security in such a situation isn't the greatest
(although
> > it's not too bad if combined with port-forwarded DMZ rules).
>
> Not sure I follow: would you use redir instead of
> portfw rules? Or do you see it being used on the internal
> interface's input chain?
No, the redirects go on the external interface input rules.
The basic idea is to mimic the functionality of the firewall 'bricks'
available from Linksys, D-Link, Netgear, &c that provide for a single
internal "server" IP. Basically, any inbound packets that are not either
destined for local services or existing masqueraded connections, get
forwarded (redirected) to an internal system. I *think* this can be used
like a partial static-NAT, essentially splitting the single available IP
between several systems.
The fundamental difference between doing this with a redirect and using
port-forwards, is the flexability of IPChains. I think the redirect rule
could send anything not dealt with by previous rules to a remote system
(even non-TCP/UDP traffic), providing a 'catch-all' port-forwarding I don't
think it's possible to implement with portfw.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
