Zitiere Daniel Hartmeier <[EMAIL PROTECTED]>: > On Mon, Sep 02, 2002 at 01:58:14PM +0200, Clemens Dumat wrote: > > > This is your proposal. Maybe this is the only one that would be > > sensible to do, but nevertheless i though about different ways of doing > > it :) The one thing that i don't really like in this solution is that i > > would have to open a private IP on the outer interface for this to work. > > But that's what you're actually doing, even in your two other proposals: > expose a local machine to the internet.
Yup. But the latter two version expose only the translated IP, whereas your version also exposes the private, real IP of the local machine. > Or did I miss something? How are the latter two versions more > restrictive, such that they block any packet that the first version > doesn't? The latter two versions allow only packets on de0 directed to 195.200.200.201:80 through the firewall, because the redirection is done on the inner interface. The private address 192.168.0.100 is blocked on the outside. Your version would also allow packets directed to 192.168.0.100:80 (which were NOT translated by the rdr-rule on de0) through the firewall. These packets shouldn't be allowed, IMHO. These packets shouldn't arrive there, for sure, but i think, it would be safer this way. For example, with a scanner directly attached to the outer interface de0 it would be possible to find out about private IPs used in the DMZ (and that should not be possible, IMHO). But maybe it's me who misses something. Clemens
