On Wed, 2002-12-18 at 15:11, Blars Blarson wrote: > In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: > >create a second DMZ, but that would cost me the lost of three ip's, so > >I'm trying to figure out ways to isolate him without putting it in > >another subnet. > > There's no need to use extra IPs just to set up another subnet. Just > use the same IP on multiple interfaces of your firewall, and with proxy > arp routing nothing but your firewall needs to know the details. The > only thing I've found with broken assuptions about how IP works is DHCPD, > so your firewall will need a real IP for each segment it acts as a DHCP > server for. The ip command is your freind, it allows much finer-grained > control than the commands it replaces. Just to make sure I understand before I dive into the iprute howto, do you mean I can give 2 interfaces on my firewall the same ip, one is connected directly to that host, the other to a switch, and only have to setup things in the firewall?
> > I've got a /24 split haphazardly into six subnets. The routing table > on the firewall is something like 50 entries just for that /24, but > none of the other systmes known the details -- they just arp and send. > (Even if I renumbered this beast, the routing table wouldn't be tiny, > there are over 200 hosts unevenly split between the segments.) > > -- > Blars Blarson [EMAIL PROTECTED] > http://www.blars.org/blars.html > "Text is a way we cheat time." -- Patrick Nielsen Hayden > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] thanx -- Haim
