[ previous ] [ next ] [ threads ]
 From:  Melvin Backus <melvin at sleepydragon dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] can't access to a domain name which is hosted in my LAN
 Date:  Wed, 19 Jan 2005 15:25:14 -0500
Chris Buechler wrote:

>On Wed, 19 Jan 2005 10:28:08 -0330, Anthony Paul <anthonypaul at gmail dot com> wrote:
>>I don't think this works if you are using AD on your network.
>>I appreciate there are a number of workarounds that work to varying
>>degrees, and have varying degrees of upkeep, varying degrees of
>>configuration complexity, but as one of the above posters said, it's
>>frustrating that every $20 router on the market can do this - no
>>configuration required.
>But a $25K Cisco PIX *can't* do it.  there are other commercial
>firewalls with the same limitation.  So I wouldn't moan too much about
>it.  your $20 routers also aren't real firewalls, don't support
>multiple public IP's and advanced NAT configurations, etc.  Overcoming
>it is a lot easier when you can only have one possible public IP and
>have very minimal flexibility in configuration.
>There are bounce utilities that'll get around this problem.  If it
>bugs you that much, find one and figure out how to configure it to get
>around this.
This isn't really a matter of m0n0 or the PIX or anything else NOT doing 
something, it is in fact a matter of them doing what they're designed to 
do.  That happens to be prevent spoofing of IP addresses to allow entry 
through the firewall.  If you'd like to disable that protection, then 
m0n0 and the PIX, and any other firewalls which provide this protection 
can step down to the level of that $20 router.  Did you catch the name 
difference there?  Firewall and router.  Not the same thing.  The only 
protection you get from the router is the fact that you're doing NAT 
which reduces your exposure by some level.  There is no other protection 
provided in the $20 router. 

That said, I'm running SBS2003 behind mine, and the host file hacks work 
just fine.  Multiple websites, separate mail server, etc., all with no 
problem.  I'm sure that it is DNS configuration 99% of the time if it 
doesn't work.  Of course, with 2003 stuff, any network connectivity is 
99% DNS related it seems. :)


Melvin Backus
Principal Wizard
Sleepy Dragon Enterprises
Do not meddle in the affairs of dragons, for 
you are crunchy, and taste good with ketchup!