-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 1 Feb 2006, kelly wrote:
I'm not sure if I'm addressing your question or
not, but I'll take a stab at what I *_think_*
you're refering to.
The secondary IP address is a way of telling an
interface to accept (and send) packets on more
than one IP segment. It's the iproute2 utilities
way of doing the same thing as the ifconfig option
with the colon (sub-interface).
i.e.
eth0
eth0:1
For instance, if you have a private IP segment
(RFC 1918) between the firewall and the border
router (the border router connects your network to
the Internet in this case) -- i.e., 10.x.x.x --.
This private segment cannot be advertised to the
Internet.
Therefore you can add a secondary IP address to
the firewall's ethernet interface. The secondary
IP address is a public IP that *_CAN_* be
advertised to the Internet. This same IP is the
IP you want to create a *_STATIC NAT_* to. Be
aware this is not a *_PAT_* (Port Address
Translation).
The difference between a *_Static NAT_* and a
*_PAT'd NAT_* is important. The Static NAT allows
hosts from the *_OUTSIDE_* (i.e., the Internet) to
establish a connection to the NAT'd host. Where
as, with a *_PAT_*, the outsides hosts *_CANNOT_*
establish connections (to a PAT'd host).
So the Internet border router needs to advertise
the NAT IP (or the network containing the NAT IP)
to the internet. But it also has to have a route
that sends all traffic destined for that NAT IP
(or Network) to the firewall's interface. This
can be a static route.
Thank Kelly, I get all that, I'm having troubles with the single
additional param to the ip add command, I presently have my public NAT
side set in the external interface with ip add commands *lacking* the
"secondary" parameter, thus they show as global additional address', what
is the gain or rational for the secondary param to the ip add command
syntax? The man page for ip does not give enough infor for me to
determine the significance of the param to the command syntax. Hope I'm
clear enough in tying to state this.
Basically what is the difference tween using the ip addcommand with and
without the "secondary" param?
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFD4TRpst+vzJSwZikRAlugAKC9KdZJqUTZwyudOv6u3tZrgqS3IQCdFlOU
QCs+Vbst9McTGLSYp5UhqDk=
=Qydo
-----END PGP SIGNATURE-----