[ previous ] [ next ] [ threads ]
 From:  Alex Neuman van der Hans <alex at nkpanama dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NATed services
 Date:  Sun, 30 Oct 2005 14:17:54 -0500
It's a limitation of how NAT and IP itself works. The only way to do 
this would be to (insecurely) make all packets that come from inside the 
LAN appear to come from the nat box itself. This happens regardless of 
platform (Linux, *BSD, so-called "hardware firewalls", etc.).

The only way to do this properly is either through the use of properly 
installed DMZ's or an internal DNS (which can be a *caching* DNS server, 
which is always a good idea). If you have 50 machines you'd have to 
change the DNS for, it means you're not using DHCP, so it may be another 
reason for you to implement DHCP/internal DNS already.

And remember, this is not a *problem* with 
ipfilter/pf/iptables/ipchains/whatever, it's a *problem* with the way IP 
itself works, since NAT is a "workaround".

Claudio Castro wrote:

> I was reading that due to ipfilter is not possible to access NATed 
> services by the public IP address from LAN, THAT'S VERY SERIOUS!...I 
> mean, I'm installing m0n0 to protect my internal NATed services... now 
> I realize that I can`t do it..unless I use an internal DNS....
> Why is that happening? what's the problem with ipfilter?
> So..how are you dealing with this problem? does anybody using NATed 
> services??? I dont`t want to use an internal DNS server...because I 
> would have to change the dns server of every single host in my 
> LAN..(about 50).
> Any recomendations?..should I use public ip in my servers instead?..I 
> dont know....I'll wait for your replys....
> I dont know you..but I think this is a pretty serious problem...What 
> do you think?
> Thanks!
> Claudio C.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch