Re: Non-NAT Firewall

[Devdas Bhagat <devdas () dvb homelinux org>]

On 06/11/05 18:28 -0600, Nathaniel Hall wrote:
> Alright, this is a bit tough to explain, so I will try my best.
>
> I am currently running a CheckPoint-NG firewall with three interfaces. 
> Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
> interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
> the internal network (private IP addressing).  The CheckPoint FW does
> not peform NAT.  That allows me to review logs of servers in DMZ 1
> without having to figure out what internal IP as NATed.
>
> Now, for my problem.  I would like to be able to have the same
> functionality using NetFilter, but I have not been able to figure out
> how to do this without masquerading or using DNAT and SNAT.  Any ideas?

If you have IP forwarding enabled, and appropriate interface IP
addresses and routes set at both ends, you should be fine. Note that IP
forwarding is disabled by default.

You may want to check with tcpdump what is actually happening on the
interfaces. Debug traffic one interface at a time. You will see traffic
which would be blocked by the forwarding rules on the accepting
interface, so no need to worry about that.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards