> > > " Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) " > > > > YES - This is a traditional "routed" DMZ...your ISP routes a block of IP's > > to the external interface of your firewall > > > > PROXY - A "Proxy-ARP" DMZ...used if you've got a block of static IP's from > > your ISP. The firewall essentially "glues together" two identical network > > segments, allowing your DMZ systems to be configured with public IP's (just > > like they were connected directly to your upstream modem), but still having > > the protection of a firewall. > > pn] I'm not sure I understand the distinction. If both use public IPs > for the DMZ machines, and > in both cases traffic comes/goes through the external router/firewall > interface, what makes each > different from the other? Maybe a small example would help.
Routed DMZ: ISP router Static routes 2.2.2.0/24 to 1.1.1.2 1.1.1.1/30 | Upstream link (1.1.1.0/30) | 1.1.1.2/30 Firewall 2.2.2.1/24 | DMZ Network (2.2.2.0/24) | DMZ systems... Proxy-ARP DMZ: ISP router 3.3.3.1/29 | Upstream link (3.3.3.0/29) | 3.3.3.2/29 Firewall - Proxy-arp enabled 3.3.3.2/29 | DMZ Network (3.3.3.0/29) | DMZ systems... Note that a routed DMZ has *TWO* seperate subnets. The one linking your FW/router with the ISP, and the subnet the ISP routes to you for your local systems. The Proxy-ARP DMZ only has *ONE* subnet, with several usable IP's, typical of cable-modem and xDSL connections with multiple static IP's. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
