On Saturday 28 April 2001 19:07, Glynn Clements wrote: > Thomas Kotzian wrote: > > what do i have to do to have a DMZ without bridging? - how do i > > have to configure routing. - please help! As far as I know there are following solutions: - transparent bridging (bad solution) - some sort of NAT (bad solution); - use different net's on both fw sides (probably the best). I believe you can't forward in normal way packets from the same network to the same network. You need use different networks on both firewallinterfaces. So, the scheme should look like this: p2p1=[A]----[B]=p2p2=[C]---[D]=Firewall=[E]---- DMZ where: p2p1 - is Point to Point iface on ISP side, having some IP "A"/30; p2p2 - is P2P iface on YOUR side, probably on some cisco router, having IP "B"/31 on the same subnet as "A". "C" is interface on the same cisco, having some private IP address, for example 192.168.0.1/31; "D" is iface on YOUR firewall linux box, having IP 192.168.0.2/30; "E" is second interface on your firewall having some subnet of routable internet addresses, provided by your ISP, say 100.100.100.244/27 DMZ - is LAN with boxes, having these routable IPs - e.g. 100.100.100.245/27, and so on... Firewall has static default gw 192.168.0.1, and cisco has route to 100.100.100.224/27 network nexthop 192.168.0.2. You should ask your ISP to setup cisco router in that way. Good things is that this is done without any advanced techniques, just using proper static routes. Bad things is that actually your firewall is sitting on private IP, and you cannot ping from it to internet :) But there is simple workaround about this with iptables + SNAT. > Unless you are using proxy-ARP, you need to: > > a) configure the routing tables on the DMZ hosts to use the firewall > as the gateway to the Internet (and the external router, if you need > to talk to it), and > > b) configure the routing table on the external router to use the > firewall as the gateway to the DMZ hosts. > You may wish to use "sysctl -w net.ipv4.conf.all.proxy_arp=1" to > enable "automatic" proxy-ARP on both interfaces. This is not necessary. I run without it. Good luck, -- // Andrius Adomaitis Sistemu Administratorius // charta@gaumina.lt UAB Gaumina dizainas // tel.+370-85-54454 http://www.gaumina.lt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
