Kristopher Lalletti wrote: > > What would be the approach with shorewall? I tried various > combinations with /etc/shorewall/masq but have failed miserably :( >
The Shorewall approach is to realize that if you have enough public IP addresses to use 1-to-1 NAT for your Internet-accessible internal servers then NAT is the wrong approach. You should be using plain routing (possibly augmented by Proxy ARP). That may require you to add another NIC to your firewall so that you have: a) net b) loc c) dmz d) Those servers that for some reason you choose to put in your 'loc' zone rather that in the 'dmz' zone. My personal belief is that there is no valid reason for this class of server to exist at all and very valid reasons to think that they should not exist at all. But from your post, it seems that you may have them. See Shorewall FAQ 2 for a discussion of why I think that such servers are a very bad idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
