On Monday 03 February 2003 00:39, Togan Muftuoglu wrote:
* Marc Christensen;
on 03 Feb, 2003 wrote: So you want to reach your external interface from your internel network. This is not possible without tweaking FW_CUSTOM to enable such access as SuSEfirewall2 by default denies these requests.
Yes, this is what I want to do. From the EXAMPLE file item #9, it states (emphisis on the words 'on the firewall' not mine):
SuSEfirewall2 will drop requests coming to the External address which have private addresses this is antispoofing. Th eonly way you can change this is adding your rules in the custom script "fw_custom_before_ antispoofing"
So, if I understand, a packet coming from a 192.168.1.xxx (non-routable IP address) to a real IP address will be dropped even if it is a trusted network? This is a pain...
iptables -A INPUT -i internal_int -s internal_net/mask -d external_int -j ACCEPT
you can add port numbers also so you will be limiting the behavior of this permission
Thanks...I'll look into this. [snip]
These DNS entries are all valid and either CNAMES or A records for the real-world server IP. Being able to put in FQDNs in for these services is important because it allows new servers to be installed to take on the above funcitons transparent to the clients. If I have them enter IPs for the internal masqueraded network, they will have to reconfigure their TCP/IP setup if one of these changes.
Taking into consideration that I have had only one cup of coffee yet, why don't you set a DNS for internal use only so your clients can still reach with FQDN internally
Yea, I thought of that as well. I just don't want to maintain two zone files, all duplicates when I should only have to maintain one. If I can't get the above custom rule set to work, I'll probably end up doing this. Thanks. -- Marc Christensen http://www.mecworks.com http://www.mecworks.com/~marc/resume