Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Connecting firewall directly to router ...
  • From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 3 Dec 2001 08:21:30 +0200
  • Message-id: <20011203062013.61F7EE6362@xxxxxxxxxxxx>
On Monday 03 December 2001 07:58, Reckhard, Tobias wrote:
> > On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
> > > Try:
> > > 1. man arp (see the options -D and -s)
> > > 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
> >
> > If I'm using IPTABLES and I'm using the DNAT rules, why does
> > the kernel not
> > do the proxy-arp automatically? Surely what DNAT is trying to
> > accomplish
> > requires this, i.e. listening on a public IP and redirecting
> > to a private IP.
>
> Well, it need not be accomplished by proxy-arp, for one. Then, who's saying
> the IP address that's being DNATed is in a local subnet of the firewall at
> all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It
> could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No
> proxy-arp involved.
>
I read the man page for arp. It says that the kernel does automagic arp if a
route exists between the subnets.

> Use different tools for different tasks.
>
> > > PS: I dislike either of these setups. If you've got
> >
> > separate subnets, you
> >
> > > should have separate subnet addresses, IMHO. But the above
> >
> > should work
> >
> > > nonetheless.
> >
> > So you would have 66.8.45.161/28 on the router LAN interface
> > and something
> > else on the internet interface on the firewall? Does this
> > mean that the
> > internet interface on the firewall requires a public IP?
>
> No, you can't have the Linux firewall's external interface and the router's
> 'internal' interface on different subnets (well, in Linux with PtP
> interfaces you can and Cisco allows for 'ip unnumbered', so this is
> actually not entirely true, but..).
>
> I'd ask for a /30 subnet to put the Cisco and the firewall (external
> interface) into, additionally to the /28 subnet for the DMZ and have the
> Cisco sysadmin configure the firewall as the gateway to that /28. The /30
> subnet needn't have official addresses, BTW, in case that's a problem,
> because noone should need to send traffic to the firewall directly.
>
What about setting the cisco's default gateway for the 66.8.45.160/28 network
to the firewall interface?

> Cheers
> Tobias

< Previous Next >
References