Hudson Delbert J Contr 61 CS/SCBN wrote: > tom, > > why ? > > to what end, this topology ? > > please enlightenment as to the value added ? > See http://shorewall.net/myfiles.htm for a description of my firewall/router's environment. In general, I prefer to use Proxy ARP for a DMZ rather than NAT because it allows DMZ servers to have the same IP address whether accessed from local or external clients. The DMZ interface (eth0 in my case) needs an IP address -- what address to give it? There seem to be two choices: a) Select an RFC 1918 address in some currently unused network. b) Use the firewall's external IP address. By using b), the existing PTR record can serve both interfaces so that traffic from the firewall to the server appears to come from the correct host (gateway.shorewall.net). In general, consider this: <upstream router -- address A.B.C.x> | | <gateway router -- address A.B.C.y> | --------------------------- | | | | | | | Network A.B.C.0/24 Assume that the upstream router routes A.B.C.0/24 via the gateway router A.B.C.y. The gateway router can be configured as follows: External interface A.B.C.y/32 Host route to A.B.C.x on external interface (no gateway) Default route via A.B.C.x Internal interface A.B.C.y/24 Net router to A.B.C.254/24 on Internal interface (no gateway) So the gateway router only requires one IP address rather than two yet it is addressable from both sides. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@xxxxxxxxxxxxx PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
