On Wed, 6 Jun 2001, Eric Stanley wrote:

> The way I'd do it is to change the first rule below so that the
> destination IP is the external IP on your firewall.  I think you know
> that you can't route traffic from the greater Internet to a
> non-routable address like 192.168.1.1 so accepting traffic for that
> address on your firewall is useless; it should never happen (barring
> spoofing or something like that).

OK, sure -- thanks.  What I get for doing it in the wee hours.

> You may also need to make sure your forward (and output) rules allow
> traffic to the web server.

Right now output is set for -P ACCEPT.  For the forward rules to allow web
traffic, would I want -j MASQ or -j ACCEPT?  from everywhere on port
80?  It's a little unclear where the forward rules end and the portfw
takes over.

> Finally, if you don't already have it, you'll also need a port forward
> command (ipmasqadm portfw) to forward traffic from port 80 on the
> external I/F of the firewall to port 80 on the internal web server.
> 
> Hope that helps,

Quite a bit -- what's not clear is where does the port forwarding take
place in the IPchain.  Or does it happen outside, and if so, when /
how.  I think it's not as much like an audio/video patch panel as they
lead one to believe, or am I just a little lost in the woods?

-- 
"To misattribute a quote is unforgivable." --Anonymous