[Shorewall-users] design issue?

David Smead smead@amplepower.com
Thu, 11 Apr 2002 23:24:45 -0700 (PDT)

1.)  I have a DMZ with 1-3 servers in it.  I have static IPs that I can
assign to the servers in the DMZ.

2.)  Or I could assign IP numbers in the DMZ such as 192.168.1.X.

3.)  Or I could actually do both using aliased interfaces.

In the case of 1) I can use proxarp.

In the case of 2) I can use dnat where the firewall accepts the static IPs
and sends them on to the norfc1918 IP.

In the case of 3) where the net zone and the local zone(s) need to access
the servers in the DMZ, which is best and why?  - proxyarp or masq/dnat?
I'd like to use case 3 because dropping in a new firewall won't ripple up
the network if I do.


David Smead