> -----Original Message-----
> From: mouss [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 6 July 2000 8:45 PM
> To: Ben Nagy; 'Rodney Dunham'; [EMAIL PROTECTED]
> Subject: RE: RH linux 6.1, IPCHAINS woes
>
>
> At 09:37 06/07/00 +0930, Ben Nagy wrote:
> >I'm not an IPChains guru by any stretch of the imagination, but...
>
> Nor am I, I have to confess!
And here I was earlier complaining about the blind leading the blind. I
should take my own advice...
[me]
> >I suspect the problem lies with the RedHat box not knowing
> to answer ARP
> >queries for the IP address it's providing a NAT mapping for.
[snip]
[mouss]
> I don't think ARP is needed here. for externl hosts, there
> should be an
> explicit route that
> at sometime arrives on the firewall. then, the packets should
> be translated
> by this FW.
> So, none needs to know the MAC address corresponding to the
> second address.
> ARP would only be needed in a situation like when the FW
> protects hosts
> using addresses
> that are in the same network as those of other hosts. But
> this should be a
> rare situation.
> Note that this is just an opinion, so I am ready to throw it
> away for no
> money as soon as somebody
> convinces me that it is unfounded.... ;-)
OK, I think one of us is misunderstanding this situation. The problem I have
had before is this: An external router is connected to the outside and the
DMZ. The firewall is connected to the DMZ and the inside. Yes, the router
knows how to get to the inside network via the firewall. IP addresses in the
DMZ, however, are "directly connected" - there is no route for them. The
router expects to be able to get to those hosts via ARP and MAC. In other
words, it expects to be able to drop the packets onto the wire and have them
get taken care of. If the firewall is maintaining a NAT mapping for an IP
address that is not directly bound to an interface (ie NOT the firewall's
own IP address) then it needs to remember to respond to ARP requests for
this IP address.
You can't solve this problem with routing unless you have something like the
"fake" NAT mappings being in a different network, which is not what we were
talking about (as far as I could see).
Does that make more sense?
[snip]
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
