that would cause more configuration issues on the servers in the dmz, right ???
Nope. Just set the default gateway to 10.0.0.1 and everything would work. My ISP for example uses 192.168.* and 10.* for basically all of it's routers/etc/etc, they all have a "Real" IP on the "external" interface (i.e. connection point), and clients like me have a "real" IP for our machines. Guess what? You're reading email sent from a server in this network =).
i mean default gw and ip-address of the server are supposed to be on the same net. so i had to add one more route to the default gateway ???
huh? not at all. No reason you can't have server with 1.2.3.4, 1.2.3.5, etc talking to 10.0.0.1 as their default gateway. Just make sure they know where 10.0.0.1 is, i.e.: route add -net 10.0.0.0 netmask 255.255.255.0 eth0 or route add -host 10.0.0.1 eth0 Another note: if your ISP was willing to play ball your firewall could use "non routed internal" IP's on all interfaces, the advantage would be you save a "Real" IP, and no external people can talk directly to the firewall. Prolly another strong reason my ISP does it on all the stuff (hard to attack something you can't route packets directly to).
am i right, not really sure !!
On an unrelated note: if I receive an out of office reply or annoying bounce from you (like volvo's full mailbox guy for example, or the broken mail account at a certain company) I will block your domain from my mailserver until a) I flush my rules in a few months or b) you contact me from another host and can show you've fixed it. I'm sick of getting bounces from security mailing lists. -Kurt