pass only bind plus redirect web
From:Date: 08/23/02
- Next message: Lefty: "Re: PIX 506 Help"
- Previous message: : "Re: smb PDC w/ Win2000 clients- how to allow for local Admin, but domain USER access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 23 Aug 2002 12:06:56 -0700
I have been trying to get this to work for awhile on my bsd-based
firewall, and would appreciate any suggestions from someone who
has tried this before.
I want to basically shut down my external interface during times
of the day that people should not be using it. Since most of the
traffic is www, I want to redirect that stuff back to an internal
(apache) web server that explains why they are not seeing the real
page and (maybe) allows them to turn it back on again with the proper
password.
If I *really* shut down the interface, then external name resolution
breaks and the browsers get a generic "cannot find server or dns" error.
So I have been playing with ipnat maps and ipf filters to just let
bind through, but no luck. With ae1 the internal network and ae0
the external, I thought the nat conf should look like
map ae0 204.152.64.0/24 -> 209.67.50.59/32 portmap tcp/udp 10000:40000
rdr ae1 0.0.0.0/0 port 80 -> 204.152.64.100 port 80
and the ipf ruleset should block all inbound and outbound on ae0 except
pass out quick on ae0 proto udp from any to any port = 52 keep state
But no matter how I change it, I can't get it to work the way I want it to.
Is this the right approach? I have run out of ideas at the moment.
-- Thanks and Regards, Paul MacAvaney paulmac2@aol.com
- Next message: Lefty: "Re: PIX 506 Help"
- Previous message: : "Re: smb PDC w/ Win2000 clients- how to allow for local Admin, but domain USER access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
