Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] Connecting firewall directly to router ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 3 Dec 2001 06:58:16 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C75@xxxxxxxxxxxxxxxxx>
> On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
> > Try:
> > 1. man arp (see the options -D and -s)
> > 2.
> >
> If I'm using IPTABLES and I'm using the DNAT rules, why does
> the kernel not
> do the proxy-arp automatically? Surely what DNAT is trying to
> accomplish
> requires this, i.e. listening on a public IP and redirecting
> to a private IP.

Well, it need not be accomplished by proxy-arp, for one. Then, who's saying
the IP address that's being DNATed is in a local subnet of the firewall at
all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It
could still be instructed to DNAT traffic to to No
proxy-arp involved.

Use different tools for different tasks.

> > PS: I dislike either of these setups. If you've got
> separate subnets, you
> > should have separate subnet addresses, IMHO. But the above
> should work
> > nonetheless.
> So you would have on the router LAN interface
> and something
> else on the internet interface on the firewall? Does this
> mean that the
> internet interface on the firewall requires a public IP?

No, you can't have the Linux firewall's external interface and the router's
'internal' interface on different subnets (well, in Linux with PtP
interfaces you can and Cisco allows for 'ip unnumbered', so this is actually
not entirely true, but..).

I'd ask for a /30 subnet to put the Cisco and the firewall (external
interface) into, additionally to the /28 subnet for the DMZ and have the
Cisco sysadmin configure the firewall as the gateway to that /28. The /30
subnet needn't have official addresses, BTW, in case that's a problem,
because noone should need to send traffic to the firewall directly.


< Previous Next >
Follow Ups