/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
On Tue, 31 Oct 2000 18:31:18 +1100, raf <[EMAIL PROTECTED]> wrote:
>the problem is that this only works when the destination address that
>you are rewriting is the/one-of-the address(es) of the firewall/masquerading
>host. that's not what you're doing.
ah, many thanks for giving light into darkness! i already gave up, but
did not know, why it did not work.
>some options in no particular order are:
>
>(1) give the dmz ip address in question to the firewall host
>as an alias so the port forwarding will work (requires extra
>fiddles with iproute2 - see fwup.org for details) - probably
>too fiddly
hmm, your "probably too fiddly" gives me the opinion, that i let it be
for now :-)
>(2) place the internal host into the dmz (where it belongs :-)
i can't, because of customer reason. it is a micro$oft box, which made
me some trouble in the dmz. also i am happy to have this box in the
internal net for security reasons. read the current IIS exploits on
bugtraq and you will agree... it would be more or less easy to install
a sniffer and to sniff my dmz traffic.
>(3) use transparent proxying - i'm not sure if this will do what
>you want but it's worth checking out.
ok, i give myself the proxy-howto for dinner.
>(4) put a proxy program on the dmz host to forward the packets
>appropriately.
this would be nice, also for logging the current exploit. do you have
any links, where i could find such a forward tool?
it should be very stable and very simple...
>(5) get iproute2 and nat the packets as they arrive at the firewall
>host.
this seems to me the fastest solution at the moment.
>(6) get linux kernel 2.4 (still in beta - not recommended) and
>nat the packets using iptables.
jup, i have already downloaded and compiled the kernel and am going to
understand the new rules. surprisingly, the configuration was very
easy and it worked just out of the box.
>(7) try redir - not as efficient as kernel methods but might do what
>you want.
do you know, just out of your mind, what i would need for redir? is it
a module or a user space programm ?
many thanks to you, raf. i almost lost my mind by reconfiguring my
firewall at least 20 times, sniffing around with tcpdump, ... and
hearing the complaints of some customers, that they can not reach
their #!"@@# m$-outlook anymore.
janky the hanky
---
Unsolicited commercial email will be archived at $1/byte/day
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
