On Tue, Jul 12, 2005 at 09:21:43PM -0600, Donald Murray wrote:
> Because the destination server is on the same subnet, users on the inside
> could indeed connect directly to that machine. Alternatively this could be
> handled via DNS.
>
>
> However, if the destination server is inside a DMZ, the firewall needs
> to DNAT in
> PREROUTING and SNAT in POSTROUTING. The DNAT gets traffic to
> the DMZ, the SNAT allows it back. Something like:
no--it doesn't. if by "the destination server is inside a DMZ" you mean
the web server is on a different layer3 subnet than the client, routed
through the firewall. you are applying the half-assed SNAT solution where
it's not even needed. this is worse than the SNAT for the OP's scenario;
at least there the SNAT serves to create some semblance of functionality.
NAT is the duct tape of networking; if you can route, route.
-j
--
"Peter: I'm going to microwave a bagel and have sex with it.
Quagmire: Butter's in the fridge."
--Family Guy
