> It's not a matter of what I want or don't want sorry--"want" was probably a poor choice of words on my part. > - I inherited this mess > from someone else, recently, and I'm slowly working my way through all > my systems, learning how they are working (or not). We don't currently > have split-dns (see my reply to the off-topic portion of this thread). > Systems in the DMZ currently use real IP addresses, and can be accessed > by their name in our external domain, from either the Internet, or from > our internal domain (a sub-domain of our external domain). I'm trying to > replicate this with an iptables firewall, without having to eliminate > our internal domain and completely re-doing our internal and external > dns in a split-dns fashion, just to get the firewall to work. Should I > go to split-dns? From what I've read, and been told here, it would seem > an excellent thing to do, but it's not something I can do overnight. > > I mentioned in another email, that I could probably get two subnets from > my ISP - one for my external network and one for my DMZ. Would this > solve the problem until I can migrate to a split dns and one-to-one > NAT'ing of the DMZ systems? it sounds like it would probably be less of a headache for you to get that second public subnet from your ISP. that way, you're really only changing the addressing on the DMZ, without also simultaneously introducing NAT, split-dns, etc... i don't particularly like changing multiple, major things all at once. you'll probably have enough to deal with just changing from sonicwall to iptables, and whatever idiosyncrasies are involved with that. -j
