>>>>> "Harald" == Harald Welte <[EMAIL PROTECTED]> writes:
Harald> On Mon, Feb 18, 2002 at 12:44:14AM +0100, Henrik Nordstrom wrote:
>> On Sunday 17 February 2002 20.06, Harald Welte wrote:
>>
>> > DNAT in output really makes sense. Imagine a proxy running on your
>> > firewall. The firewall also has a DMZ. You DNAT inbound http
>> > requests from the internet into your DMZ. Now some user of your
>> > internal network tries to reach the companies own webserver through
>> > the squid running on the firewall. The outgoing packets from SQUID
>> > need to get DNAT'ed into the DMZ.
>>
>> In such case you can simply tell Squid what the real server addresses
>> are. No need to go thru DNAT to fool Squid. Simply put the addresses
>> into /etc/hosts or a private DNS, or have Squid rewrite the addresses
>> on the way.
Harald> Sorry, but IMHO any of those 'solutions' is ugly. It should just work
Harald> automagically.
I agree, since putting that at the netfilter level obviates the need
for special purpose code in any arbitrary application needing access
to the DMZ via an IP returned by a DNS lookup that hands back the
router's external IP. It also eliminates needing to separately
configure whatever peice of software that may be, and the requirement
of an internal DNS server, hosts entry, or separate dmz domain
visible only from the internal network.
Think of the www link breakage involved - for from external sites,
you publish the www.yourdomain.com, but for from internal, you must
publish the www.dmz.yourdomain.com? It's much simpler to make it
possible to configure that in one place only - a single NAT rule in
the netfilter OUTPUT table.
--
mailto: (Karl M. Hegbloom) [EMAIL PROTECTED]
Free the Software http://www.debian.org/social_contract
http://www.microsharp.com
phone://USA/WA/360-260-2066
