[CentOS] firewall dilemma

Leonard Isham leonard.isham at gmail.com
Wed Nov 2 15:25:22 UTC 2005


On 11/2/05, JC <hiep at ee.ucr.edu> wrote:
> Hi everyone,
>
> I have this problem that I'm not sure what's the best solution for it.  I
> need your input & help...
>
> I have an internal network behind a hardware firewall.  All traffics go
> thru. the firewall.  One of the firewall's rules is that it doesn't allow
> internal network accesses internal resources that travels outside then
> come back.  In the other words, it drops all packets originate from inside
> the network that travels outside and then come back to access internal
> resources.
>
> For example: I have web server (used internal ip 10.1.1.10) behind the
> firewall, internal network can access this web server with
> http://10.1.1.10, but they can't access http://www.mydomain.com.  Assume
> that I have static IP (xxx.xxx.xxx.xxx) maps to 10.1.1.10 and dns record
> www.mydomain.com points to xxx.xxx.xxx.xxx
>
> What I want is to allow users inside the network be able to access
> http://www.mydomain.com instead of http://10.1.1.10
>
> Here is my question:
> should I change the rule of the firewall?  If so, is there a security
> risk?
>
> Is there any other solution for this?
>
> By the way, I don't have an internal DNS, I use my ISP DNS service.
>
> Thank you so much for your help,

Switch your view to a different angle.  In order of extensibility:

1. Create an internal DNS, with two DSN servers, and an external DNS
with different zone files. External resolves the external IP address,
and internal resolves  the internal IP address.

2. "Hijack" www.mydomain.com by creating a zone of that name on the
internal DNS and giving it, the zone, the internal IP address.

3."Hijack" www.mydomain.com by creating an entry in the local hosts
file with the internal IP address.

Pros/Cons

1. Most extensible but may be a fair amount of initial setup.  Normal
for large to very large companies.  Add/change/delete requests require
up to two changes each.

2. Requires internal DNS servers but only requires maintenance for
"hijacked" internal sites.

3. Requires every system be touched and retouched for and maintenance.


--
Leonard Isham, CISSP
Ostendo non ostento.



More information about the CentOS mailing list