you don't need to specify the arp on the firewall if you manage to forward the traffic from your router to the firewall interface which is responsible for SNAT and DNAT. Firewall will take care of translation from there.
Subodh --- Malcolm Turnbull <[EMAIL PROTECTED]> wrote: > > The other day I tried to replce an old checkpoint > firewall with a linux > / iptables (mandrake 8.2)... > And could not get DNAT / SNAT to work .... > > i..e Firewalls internet access was A OK but packets > to my 16 real IP > addresses wouldn't get through.... > > Scratching my head I went home and set up a test > network router / > firewall / client patched onto two different hubs... > > After a long while I figured that I needed to define > all 16 real IPs on > the external interface of the firewall (in order to > respond to ARPs) and > then everything started working fine ! > > The thing is I can use either a checkpoint or a > straight Nt firewall (on > different boxes) with my ISPs router ( with no need > to mess around with ARP) > but if I use a linux box I DO need to sort out the > ARP. > > Am I just being thick ? > > The reason I don't really want to ARP the external > addresses from the > firewall is that I would eventualy like to use > Heartbeat to failover to > another box... > And I'd end up with two firewalls on the same subnet > both claiming to > want the 16 real IPs. Does anyone have links for > heartbeat / iptables > setups ? > > Any help appreciated. > > Ps. Great work on netfilter. > > > > > > > __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
