Re: [m0n0wall] incoming NAT to DMZ [was Can't ping DMZ]

From:	Manuel Kasper <mk at neon1 dot net>
To:	Jim McBeath <jimmc at macrovision dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] incoming NAT to DMZ [was Can't ping DMZ]
Date:	Sat, 1 Nov 2003 10:20:12 +0100

On 31.10.2003, at 22:20, Jim McBeath wrote:

> forwards port 80 to the web server on the DMZ, and that works.  The web
> server has a default route set up to point back to the Netscreen; is 
> that
> why it can't respond to the Soekris?  If so, is there a way to set up

Almost definitely. Most firewalls want to see both directions for the 
stateful packet filtering to work, and I guess the Netscreen is no 
exception.

> my DMZ web server to respond to NATed port forwarding from two 
> different
> boxes, or is that hopeless?

Probably yes, unless you want to give up some of the security that 
stateful packet filtering offers... You're on your own there, though.

BTW, thanks for the filter rule patches! I'm looking into integrating 
them right into the next release... :)

- Manuel