From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: dnatting
Date: Wed, 13 Jul 2005 00:48:48 -0400 [thread overview]
Message-ID: <20050713044848.GA22255@bender.817west.com> (raw)
In-Reply-To: <12984bb0050712202131980c46@mail.gmail.com>
On Tue, Jul 12, 2005 at 09:21:43PM -0600, Donald Murray wrote:
> Because the destination server is on the same subnet, users on the inside
> could indeed connect directly to that machine. Alternatively this could be
> handled via DNS.
>
>
> However, if the destination server is inside a DMZ, the firewall needs
> to DNAT in
> PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to
> the DMZ, the SNAT allows it back. Something like:
no--it doesn't. if by "the destination server is inside a DMZ" you mean
the web server is on a different layer3 subnet than the client, routed
through the firewall. you are applying the half-assed SNAT solution where
it's not even needed. this is worse than the SNAT for the OP's scenario;
at least there the SNAT serves to create some semblance of functionality.
NAT is the duct tape of networking; if you can route, route.
-j
--
"Peter: I'm going to microwave a bagel and have sex with it.
Quagmire: Butter's in the fridge."
--Family Guy
next prev parent reply other threads:[~2005-07-13 4:48 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-11 15:18 dnatting Payal Rathod
2005-07-11 15:20 ` dnatting Jan Engelhardt
2005-07-11 18:21 ` dnatting Payal Rathod
2005-07-11 18:38 ` dnatting /dev/rob0
2005-07-11 18:42 ` dnatting Jan Engelhardt
2005-07-11 15:24 ` dnatting Scott
2005-07-11 18:45 ` dnatting Jason Opperisano
2005-07-11 18:54 ` dnatting Jan Engelhardt
2005-07-13 3:21 ` dnatting Donald Murray
2005-07-13 4:48 ` Jason Opperisano [this message]
2005-07-14 15:42 ` dnatting curby .
2005-07-14 15:49 ` dnatting curby .
-- strict thread matches above, loose matches on Subject: below --
2005-07-11 19:09 dnatting Gary W. Smith
2005-07-12 7:34 ` dnatting Payal Rathod
2005-07-12 11:59 ` dnatting Jason Opperisano
2005-07-12 12:50 ` dnatting Payal Rathod
2005-07-12 21:03 ` dnatting Steven M Campbell
2005-07-12 14:05 dnatting Gary W. Smith
2005-07-12 23:19 dnatting Gary W. Smith
2005-07-13 10:39 ` dnatting Jan Engelhardt
2005-07-13 21:19 ` dnatting R. DuFresne
2005-07-13 14:50 ` dnatting Steven M Campbell
2005-07-13 16:33 ` dnatting Donald Murray
2005-07-13 16:39 ` dnatting Steven M Campbell
2005-07-13 16:28 dnatting Gary W. Smith
2005-07-13 16:40 ` dnatting Steven M Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050713044848.GA22255@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.