[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: routing / ipchains / security question?



On Thu, Nov 09, 2000 at 11:29:48AM -0800, Ed Lazor wrote:
> Here's my situation:
> 
> Hosts on the internal network can access the Internet by masquerading 
> through the firewall - standard configuration.
> 
> The Internet can access a web server residing on the internal network, 
> because the ip address of the web server is bound as an alias to the 
> external network card of the firewall.  The firewall then port forwards all 
> traffic from port 80 of this ip to port 80 of the real server's internal ip 
> address.
> 
> My understanding is that the web server is usually setup as a separate box 
> and thrown in the DMZ.  In situations where the web server provides 
> additional services, like Samba, I understand the next best solution is the 
> one I've described above.
> 
> Here are my questions:
> 
> Am I right?  Given the circumstances, is this the best solution for my web 
> server?

you're limiting access to your web-server to just port 80, which doesn't
hurt.

> How come hosts on the internal network can't access the web server using 
> it's Internet address?

This is an issue with your firewall.  It's only port-forwarding from the
internet side.

When your other machines try to connect to the external IP address,
they're sending those packets to the firewall for forwarding to the
internet, and the firewall isn't handling them correctly.

-- 
Steve Borho                       Voice:  314-439-8342
Member of Technical Staff
Celox Networks Inc                http://www.ietf.org/rfc/rfc1925.txt





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]