On Wed, 2004-09-01 at 22:50, Payal Rathod wrote: > Hi, > I have a small webserver in DMZ at 10.10.10.3 where we load our designs. > I want to allow access to its port 80 only from local LAN (via. a squid > proxy on the gateway machine) and my client's office at 1.2.3.4. > Right now I can see it from all over the world, but I do want to restrict > the access. Remember that as now I want to continue accessing the DMZ machine > using its public IP and not just 10.10.10.3 IP even from inside the LAN. > What do I do in such case? > Thanks a lot for the help in advance. > With warm regards, > -Payal > p.s. is DMZ pronounced as DMZ or DMZee? I assume you have at least three interfaces in the firewall -- the public IF, the DMZee IF (to answer your last question) and the internal IF. As long as your internal clients resolve the web server name to the public address, all should work fine. You will need to DNAT the web server on both the public and internal interfaces and have a FORWARD chain rule that allows access from the internal network and 1.2.3.4. Oops! That's right -- you are using Squid and not just DNAT. I'm a bit rusty on Squid configuration but I would imagine you can use the same principle to make it work. Treat the inside network like an outside network for the web server. However, I would give two cautions. You may want to create a VPN to the client office if the designs are important. The transmission without the VPN will be in the clear. If the designs are important, I would not put this device on the same DMZ as public devices. If someone cracks one of the public devices, they may have free reign of any device on the DMZ from that compromised device. That means they can get your designs. Anything that is private and confidential should not be on the same network as something publicly exposed. Of course, this may be the only device on your DMZ in which case you are fine. Hope this helps - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
