Re: dns firewalls and mx records for internally hosted domains
Too completely make this work you ether need to sacrafice security. by
forgo connection tracking and using accept all by port rules. Or(It's a
technical doc this is ok) Use snat so that all replys go back to the CT
dnat. This second solution provides many scaling issues and is not
advised. The first solution may be OK for most ppl, but not for any
corporation that cares about ?not? getting hacked.
--- Master_PE <debian@masterpe.nl> wrote:
> Op vr 11-06-2004, om 16:58 schreef martin f krafft:
> > Sorry for barking into the middle of the thread.
> >
> > > > Sometime ago this list, or the security list, provided a common
> > > > consensus that www servers hosted inside a firewall, and serving
> > > > pages to both inside and outside should have resolve
> > > > www.domain.com to the internal IP for those inside the firewall.
> > > > This requires a dns record for the domain on the internal dns
> > > > servers and works like a champ!
> >
> > like a champ? I believe it's 'like a charm'. But that just on
> > a side note...
> >
> > Could you show me the discussion? I have never found a real answer
> > to this question, and I hold the opposite side... even internal
> > users should access the webserver through the official IP.
>
>
> To access the webserver that is insite of the network. I use DNAT.
>
> GReets,
>
> Master_PE
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Reply to: