OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Maarten J H van den Berg (maarten_at_vbvb.nl)
Date: Fri Aug 02 2002 - 12:04:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thursday 01 August 2002 11:29, j0nas wrote:

    [snip]

    > (using the external ip), BUT when I try
    > to access the web server using the external ip (or the domain pointing
    > to my firewall) nothing happens and
    > i get this logged in /var/log/firewall:

    I also had this occur, but my case was even worse; I had portforwarding
    for port 80 external address to an internal server. This, unlike your
    problem (as stated in the other replies) seemed (or indeed really was?)
    insolvable since the portforwarding occurs at an earlier stage than the
    NAT, so by the time the NAT-ed packet arrives at the external interface
    it could never be 'forwarded back in'. Or so I've been told anyway...

    In such cases, apart from mangling the Iptables setup, it can be a nice
    solution to let DNS solve this, either by having your internal DNS 'fake'
    the real address ( it then pretends www.domain.com is not in fact the
    external, but the internal IP) or, as I currently do, just have a special
    DNS name for your internal network and just TELL people they must use the
    alternative name instead whenever they're located 'inside'. (tell them to
    use "www.office.domain.com" instead of "www.domain.com")

    This may or may not be tedious to them but I dislike faking DNS records
    (it tends to turn into a great mess over time if you change the official
    DNS records and 'forget' to change the internal one!) and if people stop
    listening to their sysadmins then they're on their own anyway. So what
    if they have to change 1 or 2 bookmarks ? Not my problem, is it ? ;-))

    Choose your own, according to your preferences, or affinity.
    Either of the three solutions mentioned wiil work for you.

    Maarten

    Oh P.S.: Do try to have your mails not sound like some kind of "ultimatum"
    for us all to reply to, it tends to work _very_ counter-productive. ;-) 

    -- 
This email has been scanned for the presence of computer viruses.

    Maarten J. H. van den Berg   ~~//~~   network administrator
VBVB  -  Amsterdam  -  The Netherlands  -  http://vbvb.nl  
T +31204233288   F +31204233286   G +31651994273

    -- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here