On Wed, 6 Jun 2001, Eric Stanley wrote: > The way I'd do it is to change the first rule below so that the > destination IP is the external IP on your firewall. I think you know > that you can't route traffic from the greater Internet to a > non-routable address like 192.168.1.1 so accepting traffic for that > address on your firewall is useless; it should never happen (barring > spoofing or something like that). OK, sure -- thanks. What I get for doing it in the wee hours. > You may also need to make sure your forward (and output) rules allow > traffic to the web server. Right now output is set for -P ACCEPT. For the forward rules to allow web traffic, would I want -j MASQ or -j ACCEPT? from everywhere on port 80? It's a little unclear where the forward rules end and the portfw takes over. > Finally, if you don't already have it, you'll also need a port forward > command (ipmasqadm portfw) to forward traffic from port 80 on the > external I/F of the firewall to port 80 on the internal web server. > > Hope that helps, Quite a bit -- what's not clear is where does the port forwarding take place in the IPchain. Or does it happen outside, and if so, when / how. I think it's not as much like an audio/video patch panel as they lead one to believe, or am I just a little lost in the woods? -- "To misattribute a quote is unforgivable." --Anonymous