Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] Connecting firewall directly to router ...
- From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Nov 2001 14:00:32 +0200
- Message-id: <20011130115828.1EFD6E6411@xxxxxxxxxxxx>
Sorry ... made a mistake there ... 130 should be 166
On Friday 30 November 2001 13:31, Reckhard, Tobias wrote:
> > This is the setup:
> >
> > Internet <-> Router <-> Firewall <- DNAT -> DMZ
> >
> > The DMZ can browse the network via a proxy on the firewall.
> > The internet cannot browse the DMZ (this is what I'm trying to fix)
> >
> > It seems that the router is sending ARP requests to the
> > firewall network, but
> > does not get any responses. These would be arp requests for
> > the DNATed DMZ
> > servers. For example: I want to access a machine in the DMZ
> > with a private IP
> > of 192.168.1.5 and a public IP of 196.34.3.130 from the
> > internet. I can see
> > (using tcpdump) that the router is sending arp requests for
> > the public IP
> > onto the firewall network, but doesn't get any responses.
>
> Ahhhh, different game altogether. The firewall and the router get along
> just fine, it's just that the router doesn't know how to get to the DMZ.
>
> Your router's IP configuration doesn't seem to be correct after all. If
> it's sending ARP requests for 196.34.3.130 to the firewall network, which
> is confined to 196.34.3.160..175.
>
> You can do either of two things to remedy the situation:
> 1. Configure the firewall to perform proxy-arp on behalf of the public
> servers. You do this on the firewall.
This sounds like what I'm looking for, any idea on how I can do this?
> 2. Configure the firewall to be the router for the official subnet of the
> public servers. This is performed on the router.
>
> HTH
> Tobias
On Friday 30 November 2001 13:31, Reckhard, Tobias wrote:
> > This is the setup:
> >
> > Internet <-> Router <-> Firewall <- DNAT -> DMZ
> >
> > The DMZ can browse the network via a proxy on the firewall.
> > The internet cannot browse the DMZ (this is what I'm trying to fix)
> >
> > It seems that the router is sending ARP requests to the
> > firewall network, but
> > does not get any responses. These would be arp requests for
> > the DNATed DMZ
> > servers. For example: I want to access a machine in the DMZ
> > with a private IP
> > of 192.168.1.5 and a public IP of 196.34.3.130 from the
> > internet. I can see
> > (using tcpdump) that the router is sending arp requests for
> > the public IP
> > onto the firewall network, but doesn't get any responses.
>
> Ahhhh, different game altogether. The firewall and the router get along
> just fine, it's just that the router doesn't know how to get to the DMZ.
>
> Your router's IP configuration doesn't seem to be correct after all. If
> it's sending ARP requests for 196.34.3.130 to the firewall network, which
> is confined to 196.34.3.160..175.
>
> You can do either of two things to remedy the situation:
> 1. Configure the firewall to perform proxy-arp on behalf of the public
> servers. You do this on the firewall.
This sounds like what I'm looking for, any idea on how I can do this?
> 2. Configure the firewall to be the router for the official subnet of the
> public servers. This is performed on the router.
>
> HTH
> Tobias
| < Previous | Next > |