On Sun, 2002-05-05 at 16:35, Dawson, Alan wrote: > But isn't that even more horrible, running 2 DNS servers each purporting to > be authoritative for mydomain.org but one answering requests for internal > clients and the other for external ones. I said split DNS; doesn't have to be two DNS servers ;) But, yes, that is the most obvious way. There's nothing wrong with that configuration, you're just worried about maintaining the separate zones. The problem with the mangling machinery is that you're going to be mangling packets twice. They go from the internal network, traverse the gateway (probably masquerading?), at which point they have to go back down a port-forwarding mangler and out the other end. (Internal -SNAT-> gateway -DNAT-> bastion server). Alternatively, you can have a complete NAT solution by doing simple packet rewriting, but then you've got the split configuration problem again: by not hitting the port-forwarding machinery you need to replicate it, which means when the server you're making available externally moves it's ip address/port/service (etc.) you have to change both the port forwarder and the internal mangler. (Internal -> Gateway -NAT-> bastion server; External -> Gateway -DNAT-> Bastion Server). To be honest, whereever possible always dump the NAT option. It's a hack. Rather than put in port 80 rules, always put in a proxy. Otherwise, you mess up your routing and end up with problems where something 'mostly' works, but occasionally doesn't. Cheers, Alex.
Attachment:
signature.asc
Description: This is a digitally signed message part