On Sunday 22 February 2004 09:15 am, Robert K Coffman Jr - Info From Data Corporation wrote: > I've been pouring through the docs and archives but can't seem to find the > answer to these. > > I've got a setup similar to Tom's 3 interface example, but with public IPs > in the DMZ and proxy arp set to allow access to them. > > Question 1: If I want to firewall all but the necessary public services > from the DMZ machines, should I be using SNAT rather than proxy arp? I > guess I don't understand how shorewall interacts with proxy arp'ed machines > if at all.
Proxy ARP adds an entry to the firewall's ARP cache and optionally adds a route to the host through your DMZ interface. That in no way alters the fact that traffic to/from the machines in your DMZ is governed by normal Shorewall rules/policies. Have you looked at my configuration (http://www.shorewall.net/myfiles.htm)? It uses Proxy ARP for the DMZ. > > Question 2: If using proxy arp, should clients on the internal network be > able to access the DMZ machines by their public IP? If your rules/policies permit it, yes. If you looked at my configuration, you may have noticed that I use one-to-one NAT to allow access to my DMZ by an internal network address -- that is simply for convenience when I'm on the road and connected using VPN. > > Question 3: There is a public IP address that has a different gateway than > the block of IP addresses currently in the DMZ. If I use SNAT with that > IP, is there any way to specify a different gateway? I'm struggling to > understand this part so if this makes no sense please ignore it. You're going to have to give us specifics before we can understand the question. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
