Charles Steinkuehler wrote:Ryan Rich wrote:
By the way, the private ip address does work as the address for eth1, but per your advice I will change this to the same addresses I used for the eth0 interface if this is a more commonly accepted practice.
If it works as a private IP, you don't have to change it, but you can create some pretty confusing traffic on the network if you don't.
Charles,
I'm sure that Ryan got the idea of using a private IP address on the DMZ interface from my documentation. I recommend using an RFC 1918 address on Proxy ARP DMZ configurations because people tend to use their distribution's GUI to do IP configuration and many of those "Wizards" become confused if there are duplicate IP addresses. I agree that for users (including Bering users) who have explicit control over IP addressing through direct editing of config files, using the external IP address is preferred (it is what I do in fact -- http://shorewall.net/myfiles.htm). The only place where the private address is used is on fw<->dmz traffic. I ran with an RFC 1918 address on my firewall's DMZ interface for several years and only changed after I installed Debian on the firewall.
Ah...thanks for the info. I've never setup a system like this, and it seemed confusing to me. Now that you mention it, I recall seeing a setup like that in your documentation, getting confused by it, and going ahead and implementing proxy-arp pretty much the way I had it setup on my old Dachstein firewall (I break a single block of IPs into 4 seperate proxy-arp'd DMZ networks all firewalled from each other and the internet). This seemed to work well, as the proxy-arp stuff is just routing tables (ie: outside shorewall's domain), and shorewall was flexible enough for me to generate appropriate firewall rules.
One question: When you're running with just a private address for the DMZ if, how does masqueraded traffic from an internal net show up on the DMZ? It seems like it would have the private IP of the firewall. Is that the case?
I would have thought that would cause problems (particularly if all systems are paranoid about route filtering, martian packets, etc), but it sounds like it worked OK. Thinking about it, I guess you'd probably be all right as long as the firewall system was always in the default route path for the DMZ machines, and the kernel's proxy-arp handling stays the same...
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
