Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] SuSE-FW-NO_ACCESS_INT->FWEXT (last attempt)
  • From: Maarten J H van den Berg <maarten@xxxxxxx>
  • Date: Fri, 2 Aug 2002 19:04:55 +0200
  • Message-id: <200208021904.55301.maarten@xxxxxxx>
On Thursday 01 August 2002 11:29, j0nas wrote:

[snip]

> (using the external ip), BUT when I try
> to access the web server using the external ip (or the domain pointing
> to my firewall) nothing happens and
> i get this logged in /var/log/firewall:

I also had this occur, but my case was even worse; I had portforwarding
for port 80 external address to an internal server. This, unlike your
problem (as stated in the other replies) seemed (or indeed really was?)
insolvable since the portforwarding occurs at an earlier stage than the
NAT, so by the time the NAT-ed packet arrives at the external interface
it could never be 'forwarded back in'. Or so I've been told anyway...

In such cases, apart from mangling the Iptables setup, it can be a nice
solution to let DNS solve this, either by having your internal DNS 'fake'
the real address ( it then pretends www.domain.com is not in fact the
external, but the internal IP) or, as I currently do, just have a special
DNS name for your internal network and just TELL people they must use the
alternative name instead whenever they're located 'inside'. (tell them to
use "www.office.domain.com" instead of "www.domain.com")

This may or may not be tedious to them but I dislike faking DNS records
(it tends to turn into a great mess over time if you change the official
DNS records and 'forget' to change the internal one!) and if people stop
listening to their sysadmins then they're on their own anyway. So what
if they have to change 1 or 2 bookmarks ? Not my problem, is it ? ;-))

Choose your own, according to your preferences, or affinity.
Either of the three solutions mentioned wiil work for you.

Maarten

Oh P.S.: Do try to have your mails not sound like some kind of "ultimatum"
for us all to reply to, it tends to work _very_ counter-productive. ;-)

--
This email has been scanned for the presence of computer viruses.

Maarten J. H. van den Berg ~~//~~ network administrator
VBVB - Amsterdam - The Netherlands - http://vbvb.nl
T +31204233288 F +31204233286 G +31651994273

< Previous Next >
References