Robert Moskowitz <rgm at htt-consult.com> wrote: > I suspect not. When I installed this system I turned off > the Linux firewall feature. I think if you allow everything in by default, you're okay. My comments on the "state" setting was if you were dropping packets by default. > First of, let me introduce myself. Go take a look at RFC > 1918 and look for the name 'Moskowitz'. Also RFCs 2401 - > 2412. Yeah, I am the one that set up the 'environment' to > make NATs a fact of life. Okay, I know where you're coming from. BTW, I like to refer to it as DNAT, SNAT -- collectively as NAT+PAT -- as to differentiate from 1:1 NAT (no PAT). But that's just me being anal. > Well axtually ROAD imploded and we were left with no > real alternative... > No I have public addresses. So one interface is in > 65.84.78/24 and the other is set up as 192.168.192.0/28 > But I will be putting a NAT behind it! Hmmm, in a corporate environment, I still try to avoid NAT+PAT, and setup my routers to route between networks. But since the address schemes aren't contiguous, one NAT+PAT between a public and private is not bad. Now 1:1 NAT, I have no problem with on a corporate network. That's completely different, and should be considered a better option if possible. But I leave it to you. > You see, I want to replicate one of my production networks, > maintaining the IP address scheme, and still allow the servers > to get updates through the double NATing. Then consider 1:1 NAT instead -- then you have a 1:1 relationship of servers, you can route directly, etc... > I quite know what I am doing on Network Architecture. But > I am an architect/researcher, and have not spent the time > learning my Unix stuff. In fact I have forgetten most of what > I knew back in '93 when I was supporting SUN/386 stuff. Again, I can appreciate where you are coming from. One of my 6 month consulting gigs was working on the 2nd largest private network in the US. I could tell rather quickly when people were either using "default routes" or putting in "NAT+PAT" devices on our network. [ I'm sure some of my critics will now use that last paragraph against me yet again -- even though, yet again, I wasn't the person who stated any credentials first. ] -- Bryan J. Smith b.j.smith at ieee.org http://thebs413.blogspot.com --------------------------------------------------------------- "On the basis of the American view, which may be right, the success of the Iraqi political experiment is bound to provide a model to be emulated in Syria and in the various countries neighbouring Iraq" -- Nur-Al-Din, Al-Safir (Lebanon Periocial)