On Sunday 14 October 2001 07:56 am, rwatson@OFDA.NET wrote:
I have a home network with SuSE as firewall, inside the firewall, I have a couple of PC's, webserver and DNS.
Remembering that I only have 1 IP address. What do I set up so that (from outside) if I ping a host by name, that the host machine answers the ping, DNS request, or webserver; not the firewall?
Short answer: You don't. A ping is an ICMP echo request and response, sent to a particular IP address. Since you have only one IP address visible from the outside, you will have only one host able to answer pings. DNS will resolve names to IP addresses, and if DNS resolves all your hostnames to the common IP address of your ADSL line, any ping (or telnet or www or whatever) from outside will by definition go to that address. The IP addresses you use inside the firewall aren't visible from outside, no matter what you do with your firewall, unless your ISP routes these addresses to your line. That's the point of masquerading in the first place. Now, on a brighter note, you *can* use port forwarding to have specific TCP/IP services (http, telnet, ssh, ftp, and so on) forwarded by your firewall to the correct host inside your LAN. From the outside, it will appear that everything is serviced by the firewall, but the firewall forwards the request internally. I have an Asante' firewall appliance that can do this, and I use the capability to allow me to SSH to my personal workstation from outside. Use this kind of setup with extreme caution! The more hosts you have that are visible from outside, the more potential you have for someone to crack your network. Most situations where people use this kind of inbound port forwarding are where there is a physically-separated "demilitarized zone" (DMZ) LAN that is not part of the external Internet nor of the private LAN. The idea is that the hosts on the DMZ aren't fully exposed to the Internet itself, but also are somewhat segregated from the private LAN so that cracking one of the DMZ hosts isn't the same as getting carte-blanche to the entire network. A DMZ is best accomplished by using two separate firewalls or by having three NICs in the main firewall (one for DSL, one for LAN, and one for DMZ). It can be complex to set up, as you can imagine, but it can be done with IPTABLES. Take a look at the IPTABLES Howto for additional details on how to do this, or post back to the list if you're still confused after reading the docs. If all else fails, I'll work with you by private e-mail on this, to keep from sucking up too much list bandwidth. Scott -- -----------------------+------------------------------------------------------ Scott Courtney | "I don't mind Microsoft making money. I mind them courtney@4th.com | having a bad operating system." -- Linus Torvalds http://www.4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)