From: Hector Riquelme L. (hector.riquelme@usa.net)
Date: Wed May 16 2001 - 18:25:45 PDT
Hi Alaxa:
I understood your problem. I think the best solution is
have two DNS (name server):
1.- External DNS. It will see from internet. It's have your
register with valid IP. Example:
www IN A 200.23.34.24
2.- Internal DNS. It will see ONLY from your internal or trusted
network. It will keep your private addresses registers. Example:
www IN A 192.168.1.100
200.23.34.24 is the external and valid ip for your web and
192.168.1.100 is the internal address for the same web.
You must to configure your internal machines (windows, linux, etc) to
use the internal DNS server. That's all folks.
I have the internal and external DNS running on the firewall machine,
with linux of course. The internal listen in the internal interface and
the extern listen from the external.
Get lucky
Hector Riquelme L.
alaxa@usa.net wrote:
sorry for my delay and thanks for your quick answers..
I didn't spoke about details because I don't like reading very long posts so
I
can imagine if you are reading my one if it is long :^)
so my network is so configured:
the internet
|-------> eth0 __.-----------.
62.x.y.z |linux-fwall|----eth1
'-----------' 192.168.1.1
|
|
internal PC network --| .-----------------.
'-----| Win2k WWW 'n DNS|
| 192.168.1.100 |
'-----------------'
I hope the draw is clever enough..
so the web and the DNS is internal. The DNS serves other domain that we
hosts and some outer PC client like the linux box (which is a virtual domain
mail too)
The Web server is for some domains we host..many of them point to 62.x.y.z IP
(eth0 on linux) and then are porforwarded to the WEB server
Now, all is working: the internet can see my DNS and WWW, and the internal
clients can browse the internet trhough IP MASQUERADE.
So I used Ipchains+MAsquerading+Ipmasqadm
Now the trouble is that if I own www.foo.com no internal PC client can
connect to that site (we host and make maintance to web sites so my request
of
browsing to site I own is correct :^) because they are resolved as 62.x.y.z
instead of 192.168.1.100
I know that ipmasqadm cant port forward this request because it's generated
from the internal..
..and now i'm looking for a nice solution :^)
I found these:
1) put the web server external to the firewall :^)
2) modify the hosts file in each client putting an entry like
192.168.1.100 www.foo.com
but doing so we can only set a www and not a domain
3) use the linux's DNS for resolving those guest domain internally as
192.168.1.100 -but this is trivial also because it should be done
by "windows-ed minds" :^)
any ideas?
thanks again
alaxa
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
Hector S. Riquelme Lizama
The apprentice of magic
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:41:37 PDT