RE: [suse-security] Connecting firewall directly to router ...
Sorry ... made a mistake there ... 130 should be 166
OK.
You can do either of two things to remedy the situation: 1. Configure the firewall to perform proxy-arp on behalf of the public servers. You do this on the firewall. This sounds like what I'm looking for, any idea on how I can do this?
Try: 1. man arp (see the options -D and -s) 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
2. Configure the firewall to be the router for the official subnet of the public servers. This is performed on the router.
This would work like this (on the Cisco): # conf t (config)# ip route <IP of server1> 255.255.255.255 <IP of Linux-GW> (config)# ip route <IP of server2> 255.255.255.255 <IP of Linux-GW> ... (config)# end # copy run start HTH Tobias PS: I dislike either of these setups. If you've got separate subnets, you should have separate subnet addresses, IMHO. But the above should work nonetheless.
On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
Try: 1. man arp (see the options -D and -s) 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
If I'm using IPTABLES and I'm using the DNAT rules, why does the kernel not do the proxy-arp automatically? Surely what DNAT is trying to accomplish requires this, i.e. listening on a public IP and redirecting to a private IP.
2. Configure the firewall to be the router for the official
subnet of the
public servers. This is performed on the router.
This would work like this (on the Cisco): # conf t (config)# ip route <IP of server1> 255.255.255.255 <IP of Linux-GW> (config)# ip route <IP of server2> 255.255.255.255 <IP of Linux-GW> ... (config)# end # copy run start
HTH Tobias
PS: I dislike either of these setups. If you've got separate subnets, you should have separate subnet addresses, IMHO. But the above should work nonetheless. So you would have 66.8.45.161/28 on the router LAN interface and something else on the internet interface on the firewall? Does this mean that the internet interface on the firewall requires a public IP?
Ray
participants (2)
-
Ray Leach -
Reckhard, Tobias