[ previous ] [ next ] [ threads ]
 
 From:  "Alex M" <radiussupport at lrcommunications dot net>
 To:  "'Sven Brill'" <madde at gmx dot net>, "Monowall Support List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] why cant i foward PORTS to my radius server?
 Date:  Sun, 1 Oct 2006 00:51:28 -0400
>If you are set on not using a DNS server for this, put the web server on a
>different interface and create a DMZ - makes more sense, anyways

Well the thing is I need it not for operations but rather for development!
I do toooooooooo many network testing and development so I need to see what
would my environment behave like if I would access it from the wan. Like I
need to know what ports are assingnet for external use etc. When I had dlink
router I was using wan addess internally to emitate the external access with
mono I cant ... so I either have tomake it work some how or... there is no
other alternatve. 


-----Original Message-----
From: Sven Brill [mailto:madde at gmx dot net] 
Sent: Saturday, September 30, 2006 10:28 PM
To: Alex M
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] why cant i foward PORTS to my radius server?

Alex M wrote:
> Yes sure blocking everything is most secure but not always right choice.
>
> Well ok let's assume your solution? But what DNS has to do with IP
address?
> Also I would prefer if mono could have this functionality build in and
that
> if some on needs it like me so we can enable it...  so maybe there is a
> trick to make it happen with mono box by itself?
>
>   
It's not about "blocking everything" (even though that *is* a good 
thing), it's a limitation in ipfilter. The "trick" is to do it via DNS, 
if m0n0wall is your DNS server, otherwise, as the m0n0 docs state, it's 
not possible:

http://doc.m0n0.ch/handbook/faq-lannat.html

as I said (and the doc says) it's not exactly a m0n0wall issue, it's an 
ipfilter/ipnat issue, see here:

http://www.phildev.net/ipf/IPFprob.html#prob8

If you are set on not using a DNS server for this, put the web server on 
a different interface and create a DMZ - makes more sense, anyways, so 
your LAN has no entry point from the outside. That's how a network with 
externally available services and a LAN should be set up, regardless.


Sven

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch