hi,
> The last I heard was that one of the networking guys gave this explanantion
> and challenged someone to give an example of where this was the wrong
> thing to do. The thread died there IIRC.
>
> Personally I think it's a great feature because in at least 99.99% of
> cases it's exactly what you want and I havn't found an example of the
> other 0.01%.
okay - here´s a strange set-up, but if you think over it, it has some nice
advantages.
Assume you have a public network (e.g. 132.231.1.0) routed to your fw/gateway.
For the dmz you use a private network (e.g. 10.10.10.0). In the dmz you have
two public server (www 132.231.1.1 and mail 132.231.1.2).
on the internal interface of the gw/fw use the ip 10.10.10.254. The two
public server have the 2nd adress 10.10.10.1 (www) and 10.10.10.2 (mail).
Now use the following route-entries:
www and mail:
10.10.10.0/24 -> eth0
default -> 10.10.10.254
and on the firewall you set the following route entries:
10.10.10.0/24 -> eth0
132.231.1.1/32 -> 10.10.10.1
132.231.1.2/32 -> 10.10.10.2
This design has the (dis?)advantage that every packet with public ip
addresses within the dmz is routed again over the fw/gw. For some
security/accounting reasons this is not a bad idea <g>
.\\ichael Schoen
--
Michael Schoen <schoen@xxxxxxxxxx> _/_/_/
_/_/_/
ANDURAS AG i.G. Internet: www.anduras.de _/_/_/
Innstraße 71 Tel: 0851/4 90 50-0 _/_/_/
94036 Passau Fax: 0851/4 90 50-55 _/_/_/
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
