Charles:
Ah...I get it now, sure. Some vendors, I think LinkSys
is one, call this "DMZ mode" where everything not explicitely
directed somewhere is sent, by default, to a "DMZ host". Not
sure if that host is masq'd or proxy-arp'd though, in those
implementations.
I wonder, though, what this would do as a last
port-forward rule:
ipmasqadm autofw -A -r tcp 1 65536 -h $DMZ_HOST
Am not sure if autofw is parsed serially until
a match is found, like ipchains does things.
-Scott
On Tue, 25 Sep 2001, Charles Steinkuehler wrote:
> > > I haven't played with this much, but one of the things on the list of
> stuff
> > > to "play with one of these days" is using redirect to provide for an
> > > 'internal server' machine, similar to the way the low-end firewall boxes
> do.
> > > I *think* this would work properly for everything from game servers to
> VPN
> > > access, although security in such a situation isn't the greatest
> (although
> > > it's not too bad if combined with port-forwarded DMZ rules).
> >
> > Not sure I follow: would you use redir instead of
> > portfw rules? Or do you see it being used on the internal
> > interface's input chain?
>
> No, the redirects go on the external interface input rules.
>
> The basic idea is to mimic the functionality of the firewall 'bricks'
> available from Linksys, D-Link, Netgear, &c that provide for a single
> internal "server" IP. Basically, any inbound packets that are not either
> destined for local services or existing masqueraded connections, get
> forwarded (redirected) to an internal system. I *think* this can be used
> like a partial static-NAT, essentially splitting the single available IP
> between several systems.
>
> The fundamental difference between doing this with a redirect and using
> port-forwards, is the flexability of IPChains. I think the redirect rule
> could send anything not dealt with by previous rules to a remote system
> (even non-TCP/UDP traffic), providing a 'catch-all' port-forwarding I don't
> think it's possible to implement with portfw.
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
