[CentOS] firewall dilemma

Aleksandar Milivojevic alex at milivojevic.org
Wed Nov 2 17:21:43 UTC 2005

Quoting JC <hiep at ee.ucr.edu>:

> For example: I have web server (used internal ip behind 
> the firewall, internal network can access this web server with 
>, but they can't access http://www.mydomain.com.  
> Assume that I have static IP (xxx.xxx.xxx.xxx) maps to and 
> dns record www.mydomain.com points to xxx.xxx.xxx.xxx
> What I want is to allow users inside the network be able to access 
> http://www.mydomain.com instead of
> Here is my question:
> should I change the rule of the firewall?  If so, is there a security risk?
> Is there any other solution for this?
> By the way, I don't have an internal DNS, I use my ISP DNS service.

Couple of ways to do it.

Configure your firewall to allow access from internal network to your external
addresses.  This would be the obvious solution.

If you have full controll of external DNS (and you can trust it), you 
can setup
different views for mydomain.com.  For external queries, it would return
external IP addresses.  For queries originating from internal network, 
it would
return internal IP addresses.

The other way to do it is to setup internal DNS, don't use ISP's DNS.  
internal DNS as if it was authoritative for mydomain.com, and copy the
configuration from the external DNS and change external IP addresses to
internal IP addresses.  External queries would hit external DNS server which
returns external addresses.  Internal queries would hit internal DNS server
which returns internal IP addresses for your domain.  This also has 
added bonus
that you would save a bit of bandwith since your internal DNS server 
would also
automatically cache lookups for external domains too (so if two users query A
records for www.google.ca, only the first one is checked outside, while the
second is returned from cache).

This message was sent using IMP, the Internet Messaging Program.

More information about the CentOS mailing list