Stephen Mills <[EMAIL PROTECTED]> wrote:
>
> my customer would like his mainframe to also be visiable directly on
> the internet but still stay behind the ip masq firewall.
Well, they can't have it both ways. Either they are protected behind
the firewall, or they aren't! :)
> I think the best approach would be to get an IP address for that
> machine that the "internet" could see....say 203.17.xxx.xxx or
> whatever, but how would I go about changing my below configuration so
> the mainframe can be directly telnetted into from the internet?
You could use ipportfw to forward connections on some particular port,
to the hidden machine behind the firewall. This is very secure, since
the machine is mostly protected by the firewall, but a particular
network service (such as telnet) is permitted through.
The trouble is, your firewall already answers to a telnet service on
port 23, the standard telnet port. You would either have to disable
that service, or place the forwarded service on a different port (such
as port 24, or 2323, or 9999, or whatever you like. This might make
things more secure, by obscuring the port number, or it might just
confuse your customer.
Your idea about using an extra IP address is a good one. You can do
this by setting up "ip aliasing" in your Linux kernel, and configuring a
virtual ethernet interface with the IP address of your hidden system's
public IP, then use port-forwarding to redirect telnet and other
services to the firewalled host. This would work very well.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
