Re: FireHOL Question

To: Daniel Pittman <daniel@rimspace.net>, debian-firewall@lists.debian.org
Cc: "vizi0n (debian-firewall)" <debian-firewall@vizi0n.com>
Subject: Re: FireHOL Question
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 22 Sep 2004 20:06:59 -0700 (PDT)
Message-id: <[🔎] 20040923030659.59218.qmail@web11905.mail.yahoo.com>
In-reply-to: <[🔎] 87oejzqbqt.fsf@enki.rimspace.net>

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 21 Sep 2004, vizi0n wrote:
> > I've been trying to make myself a router/firewall for the past few
> days
> > (never done that before) but so far I managed to throw away my DI-604,
> which 
> > is not a bad thing at all :) I am using Debian Sarge and the FireHOL
> package 
> > which is basically an iptables generator from my understanding.
> >
> > Now my problem is, I am using this Sarge box as my gateway (1 nic for
> LAN, 1
> > plugged into a PPPoE DSL modem). It all works fine and my routes are
> set for 
> > nat, but I would like to add my other IP's my isp gives me. (3 in
> fact) and 
> > associate them with specific LAN machines.
> >
> > My isp gives me an extra /30 that I can use. So I would like to
> forward each
> > of these new IPs to specific LAN IPs, and reverse as well (my friend
> says 
> > this is called one-to-one nat or something)
> 
> Just a quick question: are you sure you don't want to give those LAN
> machines a public IP address, and use standard IP forwarding?
> 
> Others have suggested, of course, the use of the 'dnat' function with
> firehol to perform the address transformation.  
> 
> Also, note that using NAT means that accessing those public addresses
> within the LAN will not work without significant and annoying work on
> your part.
> 
Documented here:
http://wiki.debian.net/index.cgi?Firewalls-dnat-redirect

Now that I think of it, there are some of the same problems with using
external IPs on an internel network.  Though the default setup is working,
ok, andvalid.

> 
> Personally, I would (and do, in fact) use stock IP forwarding to provide
> machines with public addresses, and the firehol supported forwarding
> rules to manage access to them.
> 
> Regards,
>         Daniel
> -- 
> There are no poisonous substances, only incorrect doses.
>         -- Paracelsus
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: FireHOL Question
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Re: FireHOL Question
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Its me
Next by Date: Re: FireHOL Question
Previous by thread: Re: FireHOL Question
Next by thread: Re: FireHOL Question
Index(es):
- Date
- Thread