[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

firewall ruleset...


I'm trying to come up with a firewall ruleset...

a box on a local lan serves http
a firewall has static internal ip and dynamic external ip
the dynamic ip is updated in dns when it changes
various domains are listed as CNAME to the dynamic A record in dns

vdomains all work fine when requests come from outside but when local
machines use the same names, they get to the firewall interface, but
either don't make it to http server, don't make it back to the client or
the clients ip is lost due to 'reverse masquerading'; depending on the
ruleset used (never actually tried the last one).

So the question: how do I configure the firewall to enable LAN clients
to use 'internet dns names' to connect to a local server via the
external ip and have the the response properly routed to the client?

In the course of writing this it occured to me that if I made a
virtual dmz, ie put another subnet (alias ip) on the server and
firewall LAN interfaces, the firewall could be configured to NAT
connections there, whether they came from the regular LAN subnet or the
outside, err but then LAN client responses would go via the local LAN
switch and not the firewall, the client still wouldn't see them.....

So the question again, is there some way to access local services via
internet dns names. In the past I just had a local dns server with the
domains mapped to the local static LAN ip addresses. I'm trying to avoid
that and use one set of dns records. (don't want a new physical dmz

The only way I see it as possible is through SNAT (ie 'reverse
masquerading') the local ip as it leaves the firewall for the server,
but then the source ip is lost in web logs.:-\

// George

GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george@galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 

Reply to: