Hi David.
Thanks for your answer.
> 4. make sure you are running a properly configured up-to-date
> sendmail on
> the firewall (or if you prefer one of the alternates, put it here.
> for the internal web servers
I don't need SendMail. I want to use the mailserver that's behind the
firewall.
> 1. alias the external addresses to the firewall
>
> 2. use ipfwadm/ipchains to redirect the traffic headed to
> that address to
> another port number (transparent proxy option)
Well, I would prefer not to have a proxy involved, if possible. I want a
pure filtering firewall.
> 3. run plug-gw fromthe TIS fwth on that port directing it to
> the internal
> web server
What is plug-gw?
> note: the new NAT options that are being developed can
> probably do this
> better, but I have not used them, I have done this and it does work
> reliably
> for the internal machines
>
> the easiest way is to just setup masquerading on the firewall
> and have it
> set as the gateway for all the machines.
My problem is that I don't really know how to configure both NAT and
masquerading on the same router. I have some idea about creating an alias
for the external NIC, e.g. eth1:1 on which I do the masquerading and do NAT
for the server on eth1, but I haved tried this yet.
> the more complicated way (although more secure) is to generate a real
> security policy that states what protocols are allowed to be
> used, setup
> proxies for them on the firewall, and disallow all other traffic.
>
I figure you mean that I should configure a tranparent proxy for each kind
of service (port) that I want open. Can this proxy solution handle requests
from the Internet to servers behind the firewall?
Kind regards, Ola Theander
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
