Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Lars Ellenberg (l.g.e_at_web.de)
Date: Wed Aug 21 2002 - 05:33:56 CDT
OK, now I am not doing this exactly every day, so I may be wrong,
> >how about host routes?
> I am interested in all your suggestions because I had a similar design
> problem to that of the OP. How can this work if the NIC that connects
> to the ISP has to have one of the IP addresses which are part of the
> whole subnet linked with another NIC on the same machine? (My ISP gave
> me a separate IP for this purpose.)
this is ugly, but it should work. ( If I am wrong, shout at me :)
o.X: official, p.X: private
ISP----router o.1----o.2:firewall:p.1----o.3:DMZ host
host o.2/32 via o.1
host o.3/32 via o.2
host o.4/32 via o.2 etc.
host o.Proxy for LAN via o.2 ...
last three lines could be replaced by a normal subnet route,
net o.0/28 via o.1
since host routes take precedence, so the subnet route is not active
[ LAN normal configuration ]
host o.1 via o.2
host o.3 (DMZ) via p.1
host p.1 via o.3
> >if you have control over the router yourself, or can talk someone at
> >your ISP to reconfigure it, my prfered config would be host routes.
> This is difficult if the ISP won't commit itself to a particular gateway
> at its end (mine has n routers, where n increases with time).
maybe I did not understand this question.
it is the routers job to cope with this, isn't it. regardless of the
routing at your site, the ISP side is their problem.
> >if that fails, you can do arp bridging on the firewall.
> This sounds like a good idea, is it difficult if the firewall is also
> acting as a router for 2 different subnets and the ISP, though? (As in
> OP, and my setup!)
you can turn this on/off by interface.
> >or use aliases on your firewall outside interface, and use private ips
> >in the DMZ.
> If you do this, are all packets transparently routed between the
> aliases, or do you have to use masquerading, with all the potential
> protocol problems, and port forwarding?
of course you have to NAT in this case. may or may not be easy...
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here