[Shorewall-users] design issue?

David Smead smead@amplepower.com
Fri, 12 Apr 2002 16:19:41 -0700 (PDT)


Tom,

I hope I'm learning something but here goes another round of ignorance.

Is the nat file translated into rules that do static nat in both
directions?

If one server in the dmz has 3 IPs, (aliased) and 2 of them are proxyarp'd
can I masquerade the other one, which is a 198.168.1.X?  Part of my
confusion is not understanding what IP is used on a multiple aliases IP
interface for a source address.

-- 
Sincerely,

David Smead
http://www.amplepower.com.

On Fri, 12 Apr 2002, Tom Eastep wrote:

> On Thu, 11 Apr 2002, David Smead wrote:
>
> >
> > 1.)  I have a DMZ with 1-3 servers in it.  I have static IPs that I can
> > assign to the servers in the DMZ.
> >
> > 2.)  Or I could assign IP numbers in the DMZ such as 192.168.1.X.
> >
> > 3.)  Or I could actually do both using aliased interfaces.
> >
>
> Are you referring to static NAT?
>
> > In the case of 1) I can use proxarp.
> >
> > In the case of 2) I can use dnat where the firewall accepts the static IPs
> > and sends them on to the norfc1918 IP.
> >
> > In the case of 3) where the net zone and the local zone(s) need to access
> > the servers in the DMZ, which is best and why?  - proxyarp or masq/dnat?
> > I'd like to use case 3 because dropping in a new firewall won't ripple up
> > the network if I do.
> >
>
> In my opinion, Proxy ARP is the cleanest way to handle a DMZ.
>
> 1) The hosts in the DMZ are accessed using the same IP address regardless
> of where they are accessed from.
>
> 2) The hosts in the DMZ know what their real IP address is -- this is
> helpful for running some services (I ran into problems of this sort when I
> originally set up my DMZ -- Sorry but I don't remember which service(s)
> gave me problems).
>
> -Tom
>