On Mon, 20 May 2002, Malcolm Turnbull wrote: > > The other day I tried to replce an old checkpoint firewall with a linux > / iptables (mandrake 8.2)... > And could not get DNAT / SNAT to work .... > > i..e Firewalls internet access was A OK but packets to my 16 real IP > addresses wouldn't get through.... > > Scratching my head I went home and set up a test network router / > firewall / client patched onto two different hubs... > > After a long while I figured that I needed to define all 16 real IPs on > the external interface of the firewall (in order to respond to ARPs) and > then everything started working fine !
FWIW - The Checkpoint firewall also needs this to be defined. On Solaris at least this is done by assigning static host 'routes' that let the OS know it should ARP on the outside interface for those addresses. On NT this is part of the FW-1 setup. No difference in Linux. > The thing is I can use either a checkpoint or a straight Nt firewall (on > different boxes) with my ISPs router ( with no need to mess around with ARP) > but if I use a linux box I DO need to sort out the ARP. Nope - You do need to do it on the FW-1 box (or any other firewall I have seen) as well. It just may not look like you are doing the same type of work. NetFilter (correctly) differentiates between the Security Domain and the Networking Domain. And it does require you to be conversant in both. > Am I just being thick ? > > The reason I don't really want to ARP the external addresses from the > firewall is that I would eventualy like to use Heartbeat to failover to > another box... > And I'd end up with two firewalls on the same subnet both claiming to > want the 16 real IPs. Does anyone have links for heartbeat / iptables > setups ? That is a whole different story (the failover stuff). I will let those who do that be verbose on the subject... > Any help appreciated. > > Ps. Great work on netfilter. I agree. And getting better... -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: [EMAIL PROTECTED] WWW: http://www.paktronix.com --------------------------------------------------
