Re: using public ip addresses in DMZ: how to route in small subnet?
On Thu, May 17, 2001 at 10:21:24PM +0800, Wenzhuo Zhang wrote:
> Static NAT is definitely a good solution. But you might also consider
> Bridging and do packet filtering on the briding box.
> Another alternative is tunneling; that is, use private IP addresses on
> the "DMZ" interfaces and tunnel the public addresses to the servers. Of
> course, the firewall box has to do arp for the public addresses.
The problem (that I've yet to solve) with schemes that have
the DMZ hosts have private IPs is that outside clients are
generally trying to use passive ftp and failing. Of course,
the real solution is to switch people to ssh-based file
transfer, and requiring active FTP works also. Also it
sounds like wu-ftpd has a way to set the IP address for the
purposes of passive ftp. Anyone using that over proftpd?
Michael J. Micek, CyberStrategies, Inc. sysadmin. firstname.lastname@example.org