Hi, I have a small problem that I am sure some have seen before. Scenario: - DMZ with WEB-server and DNAT:ed external adresses - Local net where users want/have to access the WEB-server with the EXTERNAL address The firewall doesn''t seem to like the situation as it will drop the packages that should go as far as the external interface, then be rerouted to the DMZ. Any hints? -- Dag Nygren email: dag@newtech.fi Oy Espoon NewTech Ab phone: +358 9 8024910 Träsktorpet 3 fax: +358 9 8024916 02360 ESBO Mobile: +358 400 426312 FINLAND
On Thursday 18 December 2003 08:01 am, Dag Nygren wrote:> Hi, > > I have a small problem that I am sure some have seen before. > > Scenario: > - DMZ with WEB-server and DNAT:ed external adresses > - Local net where users want/have to access the WEB-server with the > EXTERNAL address > > The firewall doesn''t seem to like the situation as it will drop the > packages that should go as far as the external interface, then be rerouted > to the DMZ. > > Any hints?Add DNAT rules for loc->dmz where the ORIGINAL DEST column contains the external address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > Add DNAT rules for loc->dmz where the ORIGINAL DEST column contains the > external address.Ahh, didn''t think about that. I will try it out. Dag
> > > > Add DNAT rules for loc->dmz where the ORIGINAL DEST column contains the > > external address. > > Ahh, didn''t think about that. I will try it out.Actually it was very easy: Instead of DNAT:ing only from Zone "net" I changed the rule to DNAT from "all" Thanks for the tip Dag