Hi Tom, hi list!
[...] We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router. I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ.
One possible solution is to activate proxy-ARP on your firewall machine for the internal and external interface, and give both interfaces the same IP number, in your case x.x.x.50. router firewall ---------- ------------ ISP ----|.2 .49|----|.50 .50|-----DMZ ---------- ------------ eth1 eth0 The router will now "see" the hardware address of eth1 for all machines in the DMZ, and these will see the hardware address of eth0 both for x.x.x.50 and x.x.x.49. The firewall machine should route packets to x.x.x.49 over eth1 and all the rest over eth0. No changes are needed on the DMZ machines, they will only see one more hop in a traceroute. Alternatively, you could use the "bridging toolkit", which currently is not included in the SuSE distributions (it's still under development). This would allow to have a firewall without IP address. Hope this helps a bit. Best wishes, Nico van Eikema Hommes -- Dr. N.J.R. van Eikema Hommes Computer-Chemie-Centrum hommes@chemie.uni-erlangen.de Universitaet Erlangen-Nuernberg Phone: +49-(0)9131-8526532 Naegelsbachstrasse 25 FAX: +49-(0)9131-8526565 D-91052 Erlangen, Germany