Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Nico van Eikema Hommes (hommeschemie.uni-erlangen.de)
Date: Thu Jul 04 2002 - 00:23:08 CDT
Hi Tom, hi list!
>We have a block of 16 IP addresses from the block of 256 available, we
>have x.x.x.49..63 all in its own subnet with an appropriate subnet
>mask to keep the broadcasts local. The ISP installed some type of dumb
>gateway on 49 to allow our outgoing traffic reach the router on
>x.x.x.2 without being in the same subnet as that router, but all
>incoming traffic avoids the gateway on .49 All taceroutes for any of
>our 16 IP's route up to and including x.2 router.
>I propose to place a firewall with public interface on .50 and split
>the remaining IP addresses, x.51..63 into a disjoint network which I
>shall use as a DMZ. The dmz is intended to run http server, pop, smtp,
>and a special demo server and another server running VNC server. I
>propose to have the firewall route this traffice if it reaches the
>external interface for somthing in the DMZ.
One possible solution is to activate proxy-ARP on your firewall machine
for the internal and external interface, and give both interfaces the
same IP number, in your case x.x.x.50.
ISP ----|.2 .49|----|.50 .50|-----DMZ
The router will now "see" the hardware address of eth1 for all machines
in the DMZ, and these will see the hardware address of eth0 both for
x.x.x.50 and x.x.x.49. The firewall machine should route packets to
x.x.x.49 over eth1 and all the rest over eth0. No changes are needed on
the DMZ machines, they will only see one more hop in a traceroute.
Alternatively, you could use the "bridging toolkit", which currently is
not included in the SuSE distributions (it's still under development).
This would allow to have a firewall without IP address.
Hope this helps a bit. Best wishes,
Nico van Eikema Hommes
-- Dr. N.J.R. van Eikema Hommes Computer-Chemie-Centrum hommeschemie.uni-erlangen.de Universitaet Erlangen-Nuernberg Phone: +49-(0)9131-8526532 Naegelsbachstrasse 25 FAX: +49-(0)9131-8526565 D-91052 Erlangen, Germany
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here