Gerhard Wiesinger <[email protected]> wrote: > Some public tcp services provided to the internet by DMZ services (e.g. > mydomain.example.com) should be also available WITHOUT split DNS from > the internal subnet. Therefore some forwards are configured from the > firewall to the DMZ. > > What's the best shorewall configuration to route traffic from the > internal subnet with the public IP also to the DMZ service? > Any other preferred solution? > > Reason is that for clients all the configuration (mydomain.example.com, > certificates) are the same.
IMO, split DNS is *THE* way to go. Internal clients still use mydomain.example.com and certificates are correct. If you can't do that, then see http://shorewall.net/FAQ.htm#faq2 (and scroll down to 2b). Note that you won't see the internal IP addresses in your server logs - traffic will appear to come from the router. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
