On 9/29/05, Steve Yates <steve at teamits dot com> wrote:
> On Fri, 30 Sep 2005 09:30:35 +1000
> Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>
> > I did not plan to, did I have to?
>
>        I was hoping someone else would jump in, but it sounded to me
> like you were setting up firewall rules to permit or disallow traffic.
> However wouldn't you also need to route the traffic between WAN and OPT1
> somehow?  Like with a static route?
>

That was my first question too, whether it was bridged, since you
can't get to a bridged network from hosts on a NAT'ed interface. 
Won't be a problem since that isn't the case here.

Don't enter static routes for directly connected networks.


> If I have a web server on Opt1 that has a REAL IP of A.B.C.2/27 is this
> the correct rule to allow access to it from the WAN interface.
>
> Opt1 IP is in the same subnet as the server A.B.C.1/27
>
> Rule on the WAN interface
> Pass/Block   Proto    Source   Port   Destination   Port
>  Pass        *        *       *      A.B.C.2       80
>

that's correct.

> Do I need any rules to allow access to this web server from the LAN
> subnet (192.168.1.0/24)?
>

Since the default LAN rule allows everything, unless you've changed
that, you can access OPT from the LAN.


> As for Rules on the Opt1 Interface I was just planning on having this,
> is this correct?
>
> Rule on the Opt1 interface
> Pass/Block   Proto    Source   Port   Destination   Port
>   Pass        *        *       *          *         *
>

to start with, yeah, that's good.


> This rule should allow all traffic originating from the Opt1 subnet out
> to any destination on any port, right? I could of course then restrict
> what traffic is sent out from this subnet, right?
>

right.

-Chris