[Firehol-support] firewall issue

[Carlos Rodrigues]

It should be something like:

snat to ${firewall_routeable_address} src ${localnet} dst ${routeable_subnet}

You have to use the firewall's internal routeable address to force the
server to reply to it.

Now, you can also take another approach to this problem: make the
clients use the localnet address of the server, using split-horizon
DNS if needed (when asked about the server, the DNS replies with the
localnet address to local clients, and with the routeable address to
external clients). This would be the best approach (both logically and
performance-wise).

On 3/29/06, Catalin Constantin <catalin at bounce-software.com> wrote:
> Well, i think this is exactly what it happens !
> The server also has a LOCAL ip: 192.168.0.10 !
>
> Any hint for the nat command ?
>
> Thaks !
>
> Wednesday, March 29, 2006, 3:15:48 PM, Carlos Rodrigues wrote:
> > You can add a router command:
>
> > router eth1-to-eth1 inface eth1 outface eth1
> >          route all accept
>
> > But this isn't enough if the server also has a localnet address. If it
> > does, a source nat will be needed (the client sends traffic to the
> > server through the firewall, then the server replies directly - with
> > the source being its localnet address - and the client refuses the
> > replies).
>
>
> --
> Catalin Constantin
> Bounce Software
> http://www.bounce-software.com
> http://www.cabanova.ro
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>


--
Carlos Rodrigues