Charles,
Thanks for the followup (and, of course for doing such a great job with your leaf distros). I think I'm confusing myself, actually. Basically, I have 3 computers on my home network that I'd like to be able to access remotely, through my dsl modem, connected to the router box. I like the advantage of having a box firewall off all ports I don't want the public accessing, but I don't really need IP Masq, I guess, because my ISP is giving me a routed subnet - so I guess I can assign those addresses to my 3 computers behind the leaf box. Yes, I made a typo with 216.158.54.224/229 - should be /29 ;) I guess what I am asking is - what role should my leaf box be (IPFILTER_SWITCH)? I just want to be able to access the different boxes in my house with different ip addresses, using the routed subnet i have. This way, I can say, ssh into two different boxes on port 22. Does this clarify things a bit? Am I totally off, or going in the right direction? Thanks, Kevin > Several things. First of all, the DMZ scripts are designed to create a DMZ > network...a third network for server (and other publicly visable) systems > that is completely seperate from both your external interface and the > internal network. Trying to overlap the DMZ network on the same network > segment as your internal network will simply create confusion, and probably > won't work without modifying the default scripts. > > Another major error is the DMZ configuration. You have a routed DMZ, which > means the DMZ IP's should be public (in the 216.158.54.224/229 range, if I'm > understanding your config file, although I hope that 229 is actually "29" > with a typo, otherwise I'm really confused), rather than the private IP's > you've assigned. With nothing in place to translate your public IP's to the > private IP's used internally, you won't have any external connectivity. If > you want to keep the private IP's internally, you'll at least need to setup > a static NAT entries for each public IP (or range of IP's). > > I strongly suggest you post details on exactly what you're trying to > accomplish. In general, providing internal systems with public IP's, and > making them visible from the internet is a high security risk. There may be > a way to provide the functionality you're after in a more secure way, that > would also fit better with the default firewall rules. The setup I think > you're trying to achieve is possible, but you'll have to re-work a lot of > network and firewall configuration manually. -- (kevin mudrick) ([EMAIL PROTECTED]) (www.bleachedwhale.com) pgp key available at http://www.bleachedwhale.com/kevinGPG.asc Despair: It's always darkest just before it goes pitch black. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
