Re: [m0n0wall] IP aliases on WAN interface

From:	Fred Weston <fred dot weston at daytonawan dot com>
To:	jftheroux at privalodc dot com
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IP aliases on WAN interface
Date:	Mon, 15 Mar 2004 14:16:33 -0500

Jean-Francois Theroux wrote:

>Thing is, its a gateway behind a few webservers. So I can't direct port
>80 on a specific host. But if I can bind multiple public IPs on the WAN
>interface. That's what I need.
>
>On Mon, 2004-03-15 at 14:07, Fred Weston wrote:
>  
>
>>Jean-Francois Theroux wrote:
>>
>>    
>>
>>>Hi guys,
>>>
>>>	If i add public IPs in the Server NAT section. Does that mean all those
>>>IP will be binded to the WAN interface? 
>>>
>>>      
>>>
>>Yes.
>>
>>    
>>
>>>Would it be possible afterward
>>>to forward all traffic from one of those alias to a private IP behind?
>>>
>>> 
>>>
>>>      
>>>
>>If you mean like a DMZ host is treated on a Linksys router, then you 
>>could theoretically add a rule that would allow everything from that 
>>alias to the internal host, but it would be a better idea to physically 
>>situate that box on a DMZ, or use more discretion with your firewall 
>>rules instead of using the blanket approach with "allow everything".
>>
>>    
>>
>>>Cheers,
>>>      
>>>

I'm not sure I understand your layout exactly, but if you're saying that 
having multiple webservers is preventing you from relaxing your firewall 
rules for some reason, then why not throw apache on an old box and use 
it as a web proxy to your other web boxes?  That would require you to 
poke only one hole in your firewall, and you could proxy to the proper 
server from there based on host header or something.