[svlug] DNS behind a NAT firewall
alvin at planet.fef.com
Tue Jul 3 05:40:01 PDT 2001
hi ya steve
if you have dynamic ip# assigned to you when you.. you're up
the creek ( you're making thngs 100x harder to do )...
if you want your a.com and b.com and c.com to be visible
24x7.. you need static ip# ..
but than again, theres some new sw that supposed to
be able to find the dynamic ip# of sites that come online
when the servers is powered up on the dynamic dsl lines
- guess that's what makes colo's useful... static ip# on 24x7
for dhcp dsl connections
- am assuming your "multi-lan" behind the firewalls means
that you have a DMZ and you have your local private lan
and the connection to the net .. ( the machine(fw) has 3 nics ?? )
- if its not... it should be configured that way...
- to run your domain "system.dsl.com" requires you to register
your domain name ... ( primary and secondary dns that is
on a dns server that is available 24x7...
- whether you should run local dns for your private lan
is another separate issue ( imho, you should )
- if you dont have a domain name registered yet.. all this is
- if you want to create www.a.com and www.b.com and www.c.com
on your dhcp based dynamic ip# dsl....
- give it up !! ( with all seriousness )
- or dig and play with the new dynamic ip# for 24x7 servers
and have lots of coke/coffee and lots of books and time
easiest/trivial solutions are..
- get static ip# based dsl
- or get a colo to host your servers
each domain is about an hours worth of setup work to get working...
- you only need one box for ALL your domains, a.com, b.com, c.com
depending on load and what you are trying to do...
- you could ( much easier ) to forward all incoming connections
for a.com to go to machine_a..... and all incomig connections to b.com
to go to machine_b...
- even better....
forward all web for all domains to the webserver
and forward all smtp for all domains to the mail server
and forward all foo traffic for all domains to the foo server
- configuring your NAT and firewall is not an project for inexperienced
unless one enjoys to learn and lots of hair pulling and cussing and
- if for a client/customer... get them to get static ip# dsl lines
if they dont want a t1/t3...
- this can be a fun project to do.. but...
- yup... i donno what it is you are trying to do... so am just rambling
and adding to robert and JCs comments ... its 5;30am... am goofing off...
have fun linuxing
> Robert Hajime Lanning wrote:
> You don't point DNS to the hidden address behind the firewall.
> You have one (1) address that others can see. No-one outside of the
> firewall can see the internal addresses.
> So what you have to do to provide http, smtp and/or ftp services to
> the internet via proxing or port forwarding.
> Basicly you have the firewall take an incoming connection and forward
> it to an internal machine. You can only have one service per port
> and each port can only be pointed to one machine (unless you just want
> to load share across simularly configured machines.)
> So if you wanted to do http to machine A behind the firewall you can
> setup port 80 (the http port) to forward to port 80 of machine A. If
> you want to also access machine B via http, then you would have to
> setup another port (eg. 81) to forward to port 80 of machine B.
> Then to get to machine B you would use "http://external.domain:81/".
> Since you have only one address, the only way to do multiple domains
> is to do what is called "virtual hosting".
> For HTTP (web), virtual hosting is fairly simple. The apache webserver
> has this capability standard.
> For SMTP (email), you have to configure your message transport agent (MTA)
> to accept email for multiple domains. (This is usualy a sendmail
> configuration change.)
> For FTP, you just have multiple subdirectories.
> ---- As written by Steve Hill:
> > I am running a multi-unit LAN behind a firewall, connected to a "single"
> > static IP address issued by my DSL provider. I am having a "thinko"
> > trying to figure out how I can name a unit behind the firewall, such
> > that it can be seen by the internet. i.e., how do I get a name line
> > system.dsl.com or how do I link my domainname to my IP address? I don't
> > need a cookie-cutter solution, but I need a couple of pointers that I
> > can follow to solve my problem.
> > Ultimately, I'd like to maintain my own mail and web servers behind the
> > firewall.
> > Thanks,
> > Steve
More information about the svlug