[Shorewall-users] design issue?
Sat, 13 Apr 2002 06:14:48 -0700 (Pacific Daylight Time)
On Fri, 12 Apr 2002, David Smead wrote:
> Thanks for confirming the nat question. I'm keeping notes for a
> mini-primer which I hope will be useful to others.
> I'm trying to drop shorewall into an existing configuration without
> backing up into the internal system. We have an ancient firewall running
> Linux 2.0.36, bubble gum and baling wire, (uptime - 308 days). The server
> in the dmz has an IP of 192.168.1.10. It runs Apache with virtual
> The ancient firewall uses an old program called redir which redirects all
> port 80 traffic for two public IPs to the server in the dmz. Local
> computers on other internal networks access the dmz server using its
> private IP. Presently the dmz server is masqueraded so any email it sends
> is handled properly.
> So, to avoid changes that disrupt other computers I need to keep the
> 192.168.1.10 on the server in the dmz. My idea is to alias the interface
> with the two public IPs. If I can proxyarp the two public IPs on the
> firewall and masquerade the private number of the dmz in the firewall then
> nothing should ripple out into the other systems.
> If I can make things work like that then I can go into the other systems
> one at a time and change their accesses to one of the public IPs. Then I
> can revisit the firewall and clean it up.
On your new firewall, I would simply use port forwarding to forward port
80 from the two public IPs to your server and SNAT the server's access to
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org