[Shorewall-users] DMZ with proxy arp and freeswan dilemma

Lito Kusnadi lkus9013 at mail.usyd.edu.au
Fri Dec 12 10:15:39 PST 2003


Hi.
I want to use shorewall, with freeswan to connect 2 sites privately.
One site requires a DMZ and it has more than 1 public IP.
I want to use proxy arp and assign the mail server in the DMZ with the
one of the public IP, and the web server with the another public IP.

The reason I want to do this, from past experience with shorewall, I
want to be able for PC in DMZ to:
a. go back to DMZ (i.e. web server contact mail server via public IP,
where both in DMZ) [this is a limitation caused by an application :( ]
b. display in log file of shorewall where the connection to DMZ comes
from


However from the freeswan documentation section of shorewall, it says:

(http://www.shorewall.net/IPSEC.htm)
"Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless
you are prepared to suffer the consequences. If you start or restart
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so
I can't say if it is a bug in the Kernel or in FreeS/Wan."

And in the documentation, proxy arp section it also displays the
warning. So is there any way to implement DMZ as wanted with freeswan?

Thank you.

-Lito



More information about the Shorewall-users mailing list