Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
Re: [suse-security] Firewall On CD & Routing.
- From: "Tom Crowe" <tom@xxxxxxxxxxxxx>
- Date: Thu, 4 Jul 2002 14:27:07 +0100
- Message-id: <001901c2235e$7ef52c10$aab202d4@dindang>
Hi all,
> One possible solution is to activate proxy-ARP on your firewall
machine
> for the internal and external interface, and give both interfaces
the
> same IP number, in your case x.x.x.50.
>
> router firewall
> ---------- ------------
> ISP ----|.2 .49|----|.50 .50|-----DMZ
> ---------- ------------
> eth1 eth0
>
> The router will now "see" the hardware address of eth1 for all
machines
> in the DMZ, and these will see the hardware address of eth0 both for
> x.x.x.50 and x.x.x.49. The firewall machine should route packets to
> x.x.x.49 over eth1 and all the rest over eth0. No changes are needed
on
> the DMZ machines, they will only see one more hop in a traceroute.
OK this is a solution, also received a NAT solution offlist which
would eliminate the need for using public IP's in the DMZ, and thanks
for both of these.
I guess what I am really asking is not is there a solution to avoid
routing, but how is it done in the real world? What is the proper way
to do it? If I do one of the above, am I implementing a hack to get
around an ISP restriction, or should it be done using routing, or is
this the way everyone does it?
TIA,
Tom
tom@xxxxxxxxxxxxx
> One possible solution is to activate proxy-ARP on your firewall
machine
> for the internal and external interface, and give both interfaces
the
> same IP number, in your case x.x.x.50.
>
> router firewall
> ---------- ------------
> ISP ----|.2 .49|----|.50 .50|-----DMZ
> ---------- ------------
> eth1 eth0
>
> The router will now "see" the hardware address of eth1 for all
machines
> in the DMZ, and these will see the hardware address of eth0 both for
> x.x.x.50 and x.x.x.49. The firewall machine should route packets to
> x.x.x.49 over eth1 and all the rest over eth0. No changes are needed
on
> the DMZ machines, they will only see one more hop in a traceroute.
OK this is a solution, also received a NAT solution offlist which
would eliminate the need for using public IP's in the DMZ, and thanks
for both of these.
I guess what I am really asking is not is there a solution to avoid
routing, but how is it done in the real world? What is the proper way
to do it? If I do one of the above, am I implementing a hack to get
around an ISP restriction, or should it be done using routing, or is
this the way everyone does it?
TIA,
Tom
tom@xxxxxxxxxxxxx
| < Previous | Next > |