Hi David, (thanks for your reply as well) :)
>Stephen Mills <[EMAIL PROTECTED]> wrote:
>>
>> my customer would like his mainframe to also be visiable directly on
>> the internet but still stay behind the ip masq firewall.
>
>Well, they can't have it both ways. Either they are protected behind
>the firewall, or they aren't! :)
Ahh thats OK, if its not going to be behind the firewall that is OK...
>> I think the best approach would be to get an IP address for that
>> machine that the "internet" could see....say 203.17.xxx.xxx or
>> whatever, but how would I go about changing my below configuration so
>> the mainframe can be directly telnetted into from the internet?
>
>You could use ipportfw to forward connections on some particular port,
>to the hidden machine behind the firewall. This is very secure, since
>the machine is mostly protected by the firewall, but a particular
>network service (such as telnet) is permitted through.
OK, I see....
>The trouble is, your firewall already answers to a telnet service on
>port 23, the standard telnet port. You would either have to disable
>that service, or place the forwarded service on a different port (such
>as port 24, or 2323, or 9999, or whatever you like. This might make
>things more secure, by obscuring the port number, or it might just
>confuse your customer.
Yeah I think this will create to many issues :) (and work)
>Your idea about using an extra IP address is a good one. You can do
>this by setting up "ip aliasing" in your Linux kernel, and configuring a
>virtual ethernet interface with the IP address of your hidden system's
>public IP, then use port-forwarding to redirect telnet and other
>services to the firewalled host. This would work very well.
I'd much prefer this option if possible.
'Network Aliasing' is already compiled into the kernel so this is good.
How would I go about finding more information on setting up the virtual
ethernet interface ?
Ive found documentation on port forwarding at
http://www.ox.compsoc.net/~steve/portforwarding.html,
although i can't seem to locate ipportfw at this time, Ill check it out for
sure.
Regards,
Stephen Mills
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
