hi all,
conceptual question. i''ve got two sketchs of a solution, but wanted to
pose
the problem and possible solutions to see if anyone knows why this
wouldn''t
(in theory :) work. or if anyone has a better idea.
scenario: firewall has two public interfaces: T1 (eth0), DSL (eth1).
lots of machines behind firewall on third interface (eth2).
some machines behind the firewall have an externally "valid" public
IP.
this is so pcAnywhere can be run to connect back to each system. that
said, the tech support crowd has been sucking up the T1 bandwidth with
non-TS duties, so the question has been raised if anything _not_ pcAny
related can be routed out the DSL line. (ie, web, mail, ...) non-
pcAny ports are all blocked from the outside. (otherwise the DSL will
be disconnected really soon now.)
ergo, the situation would become essentially port-forward pcAny from an
alias on the firewall to a dummy 192.168.x.y addressed machine. any non-
pcAnywhere local-request traffic would be masq''d to the DSL line, but
all the pcAny traffic must go through the T1 line.
the real questions are (1) is this workable, and (2) is there a clean
way to handle it?
my "sketch" of a solution is to set up DNAT rules from the aliased
address on the firewall to the 192.168.x.y target based on the ports.
then in the masq file, specify that eth2 is covered by the DSL eth1.
my question about this sketch is (3) will the resulting reply packets
to the pcAny connection go out the DSL interface or the T1 ...? i
worry the answer is the DSL interface.
an alternate sketch is to use the one-to-one "nat" file and some rules
magic. i''m a little less certain how this would work. by keeping the
masq file entry for eth2 to be DSL, and setting up the nat-file like so
external-ip-1 eth0 internal-ip-1 no yes
....
and then set up some basic rules like
ACCEPT net loc:internal-ip-1 pcAny1 - -
ACCEPT net loc:internal-ip-1 pcAny2 - -
i _think_ this setup amounts to the earlier sketch. but again, will
the pcAny packets go out the T1 or the DSL?
any thoughts most welcome. pointers to FAQ entries that explain this
problem are welcome, and can be applied with a large piece of lumber
if appropriate.
thanks again to tom for a great firewall tool. sorry i keep asking
random questions like this and taking up time!
-josh