Re: basic firewall question

To: Nathan Barham <nathan@sleepygeek.com>, debian-firewall@lists.debian.org
Cc: Ognen Duzlevski <maketo@sdf.lonestar.org>
Subject: Re: basic firewall question
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 7 Jul 2004 18:23:18 -0700 (PDT)
Message-id: <[🔎] 20040708012318.37008.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 40EC90B0.3090609@sleepygeek.com>

--- Nathan Barham <nathan@sleepygeek.com> wrote:
> Ognen Duzlevski wrote:
> > Hi,
> > 
> > << ... >>
> > 
> > Thanks,
> > Ognen
> > 
> > 
> 
> Ognen,
> 
> You could do it like this:
> 
> < ... >
> 
> ( I don't know offhand what (or if) the limit is for the number of 
> aliases allowed per interface, but I think I recall doing three 
I would guess 256 or 256 ^ 2 on 32 bit systems and even grater with a 64. 
With any linux *arbitrary* limit changing it should be simple and straight
forward.

> successfully.  Also note that though eth0:1 will show up with ifconfig, 
> AFAIK iptables will only refer to that interface as eth0.)
> 
"eth0" != "eth0:1", however all traffic dose go throught eth0. 
>From IPTABLES(8):
If the interface name ends in a "+", then any interface which begins with
this name will match.

> 
> OK, now you want to get the incoming www traffic that is headed for 
> 66.224.54.117 through your firewall to your www server and back out. 
> The iptables rules would go something like this:
> 
> # VARIABLES
> IPTABLES=/sbin/iptables         # Path to iptables
> EXT_IP="66.224.54.118"          # eth0 IP
> EXT_IF="eth0"                   # External interface
> DMZ_IF="eth1"                   # DMZ interface
> DMZ_IP="192.168.1.1"           # eth1
> WWW_IP="66.224.54.117"          # Virtual external www IP
> DMZ_WWW_IP="192.168.1.2"       # WWW server in DMZ
> 
> < ... >
I honestly didn't read the part I cliped here.

> 
> Of course your firewall will likely also have a third interface for your
> 
Giving a seperat(eth2) for users is a good choice.  It makes routing to
the nated servers esier.  It also increses your servers throuput and
clients responce(ping) time.

The wondershaper will allways be a good idea, even if your lucky enuff to
have 1.54Mbps.

> private LAN.  If so, and you want the machines on your LAN to use the 
> services provided in your DMZ, you will probably need to find a way for 
> them to resolve www.x.edu to 192.168.1.2 (instead of your public www IP)
> 
There are large threads on this list about this topic.

> and then provide access through your firewall for them as well.
> 
> You might want to look into Shorewall or other iptables frontends to 
> help you out if you don't like writing your own rule sets.
> 
There are many small threads about this topic.

> Hope that helps.
> 
> -Nathan
> 



		
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo

Reply to:

References:
- Re: basic firewall question
  - From: Nathan Barham <nathan@sleepygeek.com>

Prev by Date: Re: basic firewall question
Next by Date: Virus no seu email (Expresso24 Sa)
Previous by thread: Re: basic firewall question
Next by thread: I want new proxy
Index(es):
- Date
- Thread