On Tue, Jul 12, 2005 at 09:21:43PM -0600, Donald Murray wrote: > Because the destination server is on the same subnet, users on the inside > could indeed connect directly to that machine. Alternatively this could be > handled via DNS. > > > However, if the destination server is inside a DMZ, the firewall needs > to DNAT in > PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to > the DMZ, the SNAT allows it back. Something like: no--it doesn't. if by "the destination server is inside a DMZ" you mean the web server is on a different layer3 subnet than the client, routed through the firewall. you are applying the half-assed SNAT solution where it's not even needed. this is worse than the SNAT for the OP's scenario; at least there the SNAT serves to create some semblance of functionality. NAT is the duct tape of networking; if you can route, route. -j -- "Peter: I'm going to microwave a bagel and have sex with it. Quagmire: Butter's in the fridge." --Family Guy