> Here's the issue: > > a.b.c.156/30 wan network (domain: ISP.com) > a.b.c.157 local wan address (wan1) > a.b.c.158 remote wan address (peer) > x.y.z.64/26 public ip block (domain: customer.com) > x.y.z.64/26 dmz network
This is a normal 'routed' type of DMZ. > For example, when I ssh out to somewhere on the Internet from > 192.168.1.101 and invoke `w' I see that I am FROM a.b.c.157. > > This is OK for most situations, because all network traffic, originating > from the Internet, through the firewall should have destination on the > dmz. > > However, what if I want to run ftpd on 192.168.1.101 and I want users to > use ftp://myhost.customer.com, *not* by ip or myhost.ISP.com ??? > > Yes, I know about port forwarding, &c. > > *HOW* can I take one (1) address out of x.y.z.64/26, let's say x.y.z.72, > and have that address also bound to wan1? It's tricky, and I haven't actually needed to do it yet... The easy part is port-forwarding (from the DMZ interface of the router in this case)...the hard part is reverse masqerading the packets and giving them the public IP of the DMZ interface instead of the external interface. I'm not sure this is possible with ipchains (it is with iptables). You may have to static-NAT one of your internal machines into the DMZ to get this to work properly, which is an even worse idea than port-forwarding traffic to your internal net, which is already a pretty bad idea. Can you perhaps describe exactly what you're trying to get working, and perhaps there's a better network architecture (ie safer & easier to impliment) to do what you want. You can e-mail me directly if this is sensitive info you don't want on-list... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
