On Sat, 2007-03-10 at 19:29 -0700, Michael Torrie wrote: > Having said that, you are right about using real IP addresses. In fact, > NATting a subnet in the way I have suggested is almost exactly the same > as using real IP addresses. The only difference here is that the DMZ > hosts wish to appear on two different subnets at one time. That adds > routing complexities and a greater chance of allowing a host to do > something it shouldn't do. In effect you have to have twice as many > firewall rules.
Sorry about the parse errors. What that paragraph means to say is that not using NAT, but doing the proxy arp tricker that Hans is using, can result in a situation where, since the host has two actual IP addresses without NAT, you need twice as many firewall rules to make the DMZ. One set to govern the public ip address access and another to govern the traffic to and from the rest of the private hosts. Further, if your private hosts are on the same private subnet as the dmz hosts, then you don't have a DMZ at all anymore, and you've now exposed your entire network through that server should it get compromised. Michael /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
