Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] Connecting firewall directly to router ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 3 Dec 2001 08:06:19 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C76@xxxxxxxxxxxxxxxxx>
> > Well, it need not be accomplished by proxy-arp, for one.
> Then, who's saying
> > the IP address that's being DNATed is in a local subnet of
> the firewall at
> > all? I.e. the firewall could have two networks attached,
> 1/8 and 2/8. It
> > could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No
> > proxy-arp involved.
> >
> I read the man page for arp. It says that the kernel does
> automagic arp if a
> route exists between the subnets.

And...?

> > I'd ask for a /30 subnet to put the Cisco and the firewall (external
> > interface) into, additionally to the /28 subnet for the DMZ
> and have the
> > Cisco sysadmin configure the firewall as the gateway to
> that /28. The /30
> > subnet needn't have official addresses, BTW, in case that's
> a problem,
> > because noone should need to send traffic to the firewall directly.
> >
> What about setting the cisco's default gateway for the
> 66.8.45.160/28 network
> to the firewall interface?

Number one, there is only one default gateway, also called the gateway of
last resort. There is no subnet-specific *default* gateway.

I don't think the Cisco would let you configure it's interface as
66.8.45.161/255.255.255.240 and then issue a route to that very subnet
pointing at a gateway, since it knows that that subnet is directly attached.
You can, however, split that subnet into smaller blocks and apply routes to
those. More specific routes, i.e. ones with a larger number of bits in the
subnet mask, take precedence over less specific routes. The easiest way to
do this in your situation, where you don't have many hosts, is to issue host
routes.

Under no circumstances give the Cisco a different subnet mask than the Linux
box. They won't be able to see each other if you do, as network and
broadcast addresses don't correspond anymore.

Cheers
Tobias

< Previous Next >