RE: [suse-security] Connecting firewall directly to router ...
On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
Try: 1. man arp (see the options -D and -s) 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
If I'm using IPTABLES and I'm using the DNAT rules, why does the kernel not do the proxy-arp automatically? Surely what DNAT is trying to accomplish requires this, i.e. listening on a public IP and redirecting to a private IP.
Well, it need not be accomplished by proxy-arp, for one. Then, who's saying the IP address that's being DNATed is in a local subnet of the firewall at all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No proxy-arp involved. Use different tools for different tasks.
PS: I dislike either of these setups. If you've got separate subnets, you should have separate subnet addresses, IMHO. But the above should work nonetheless. So you would have 66.8.45.161/28 on the router LAN interface and something else on the internet interface on the firewall? Does this mean that the internet interface on the firewall requires a public IP?
No, you can't have the Linux firewall's external interface and the router's 'internal' interface on different subnets (well, in Linux with PtP interfaces you can and Cisco allows for 'ip unnumbered', so this is actually not entirely true, but..). I'd ask for a /30 subnet to put the Cisco and the firewall (external interface) into, additionally to the /28 subnet for the DMZ and have the Cisco sysadmin configure the firewall as the gateway to that /28. The /30 subnet needn't have official addresses, BTW, in case that's a problem, because noone should need to send traffic to the firewall directly. Cheers Tobias
On Monday 03 December 2001 07:58, Reckhard, Tobias wrote:
On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
Try: 1. man arp (see the options -D and -s) 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
If I'm using IPTABLES and I'm using the DNAT rules, why does the kernel not do the proxy-arp automatically? Surely what DNAT is trying to accomplish requires this, i.e. listening on a public IP and redirecting to a private IP.
Well, it need not be accomplished by proxy-arp, for one. Then, who's saying the IP address that's being DNATed is in a local subnet of the firewall at all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No proxy-arp involved.
I read the man page for arp. It says that the kernel does automagic arp if a route exists between the subnets.
Use different tools for different tasks.
PS: I dislike either of these setups. If you've got
separate subnets, you
should have separate subnet addresses, IMHO. But the above
should work
nonetheless.
So you would have 66.8.45.161/28 on the router LAN interface and something else on the internet interface on the firewall? Does this mean that the internet interface on the firewall requires a public IP?
No, you can't have the Linux firewall's external interface and the router's 'internal' interface on different subnets (well, in Linux with PtP interfaces you can and Cisco allows for 'ip unnumbered', so this is actually not entirely true, but..).
I'd ask for a /30 subnet to put the Cisco and the firewall (external interface) into, additionally to the /28 subnet for the DMZ and have the Cisco sysadmin configure the firewall as the gateway to that /28. The /30 subnet needn't have official addresses, BTW, in case that's a problem, because noone should need to send traffic to the firewall directly.
What about setting the cisco's default gateway for the 66.8.45.160/28 network to the firewall interface?
Cheers Tobias
participants (2)
-
Ray Leach -
Reckhard, Tobias