[Shorewall-users] design issue?

Tom Eastep teastep@shorewall.net
Fri, 12 Apr 2002 05:49:44 -0700 (Pacific Daylight Time)

On Thu, 11 Apr 2002, David Smead wrote:

> 1.)  I have a DMZ with 1-3 servers in it.  I have static IPs that I can
> assign to the servers in the DMZ.
> 2.)  Or I could assign IP numbers in the DMZ such as 192.168.1.X.
> 3.)  Or I could actually do both using aliased interfaces.

Are you referring to static NAT?

> In the case of 1) I can use proxarp.
> In the case of 2) I can use dnat where the firewall accepts the static IPs
> and sends them on to the norfc1918 IP.
> In the case of 3) where the net zone and the local zone(s) need to access
> the servers in the DMZ, which is best and why?  - proxyarp or masq/dnat?
> I'd like to use case 3 because dropping in a new firewall won't ripple up
> the network if I do.

In my opinion, Proxy ARP is the cleanest way to handle a DMZ.

1) The hosts in the DMZ are accessed using the same IP address regardless
of where they are accessed from.

2) The hosts in the DMZ know what their real IP address is -- this is
helpful for running some services (I ran into problems of this sort when I
originally set up my DMZ -- Sorry but I don't remember which service(s)
gave me problems).

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net