I would like to use an rfc-1597 (reserved private) network internally,
with only my intended-to-be-externally-visible hosts using addresses
not on the private network. However, my user community needs to be
able to do things like ftp and telnet from their desks.
Ideally, I want a proxy server that handles all dns queries for
external names by allocating a temporary address from the internal
network, configuring a virtual interface to that address, and
returning the synthetic address to the requestor. Then, the internal
host connects to this virtual interface, and a proxy starts up that
connects to the real host out on the Internet.
Obviously, this requires some fancy footwork on the part of the DNS
server running on the proxy host, as well as some intelligence on the
part of the proxy servers. The latter is relatively easy -- just have
the DNS server provide the correct name for a reverse lookup, and then
query an external server for the real address (other possibilities
exist, that's just the easiest to describe).
The problem I have is the dynamic allocation of addresses, remembering
what ones have been allocated, playing with virtual interfaces, and
all the cruft that's going to have to go with it. Conceptually, I
know exactly what I want. I even know that it's been done. What I
don't know is if there's a version of all this available without
spending $10,000 to get it. I want to keep my network as secure as
possible, but we're not exactly an organization flush with money
(we're all-volunteer, no funding other than what people feel like
I've tried searching through the archives, because I know this has
been discussed before, but I can't find it.