Re: Firewall protects, so what directs?:(may be an easy workaround)
Hi
If you don't want change anything at this time, may be you could use an
easy workaround if you are now using SSH in your firewall and web server:
if you use the "-L" option, you could start a SSH session from your
firewall to your web server and forward every incomming connection to port
80 in the firewall to your web server...
your_firewall#ssh -L 80:10.10.0.10:80 awebuser@10.10.0.10
You only will have to be sure that you allow TCP port 22 from your firewall
to your web server, and that your SSH configuration allows port forwarding
(well, and may be you shoul monitor you ssh tunnel: if it goes down, it
stops working).
Well, it is only a workaround if you don't want to continue learning about
"obsolete" firewalls (netfilter and iptables are far better than ipchains
and ipmasqadm), and if you are using SSH (and you should be using it...)
Regards
Pedro Pablo
Thomas Cook
<sysadmin@black-g To: undisclosed-recipients:;, Debian Firewall <debian-firewall@lists.debian.org>
ear.com> cc:
Subject: Re: Firewall protects, so what directs?
20/03/02 00:31
Please respond to
Thomas Cook
Wow, thanks for all the help guys.
First off, you are right Simon, I've assigned static addresses to the
servers with statements in the dhcpd.conf file.
As for the rest, I'm looking over ipmasqadm, and it looks like what I need
(though a bit confusing). I have thought about going to the 2.4 kernels,
but it would mean translating my ipchains -> iptables (not so bad, seems
like there should be a perl script out there for this), but also compiling
a
new kernel, because the stock debian 2.4 does not support my scsi card like
the stock 2.2 (i've never gotten a kernel to compile correctly in my life).
I've got to say, I'm surprised at how complicated everything has become.
Even if I where to take out all the bells a whistles, my entire setup
(firewall/router/dhcp, web dns mail servers) has taken a good 4 months to
get going. Its true that if I knew what I was doing, it would be less, but
there is SO much to know! Thanks for the help...
-Tom
On 3/18/02 1:37 PM, "Simon Higgs" <simonhiggs@bigfoot.com> wrote:
> Thomas Cook said:
>> I have spent the last few months constructing an ipchains firewall for
>> my computer lab. I finally got everything working a week or so ago,
>> but I realized there is noting telling things where to go.
>>
>> My firewall divides my network into an internal lab (10.0.0.0/24, all
>> ip_forward and MASQ on the firewall), and a DMZ for my servers
>> (10.10.0.0/24). The firewall tells all the packets where they can and
>> cant go, but how do I tell packets where they should go? For
>> example...
>>
>> Lets say my external ip is 1.2.3.4. So someone on the internet plugs
>> 1.2.3.4 in their browser. The browser contacts my firewall's external
>> interface asking for connect on port 80. How do I tell my firewall to
>> direct that www request to 1.2.3.4 into a request to 10.10.0.10 port 80
>> (my apache server)?
>>
>
> In a previous post you suggested that you have assigned dynamic IP's to
both
> networks. I can't see how this can work.I'd at least assign static IP's
to
> the servers.
>
> http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html
> http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-7.html
>
> Simon.
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: