On Sat, 10 Mar 2007 at 19:40 -0700, Michael Torrie wrote: > On Sat, 2007-03-10 at 19:29 -0700, Michael Torrie wrote: > > Having said that, you are right about using real IP addresses. In fact, > > NATting a subnet in the way I have suggested is almost exactly the same > > as using real IP addresses. The only difference here is that the DMZ > > hosts wish to appear on two different subnets at one time. That adds > > routing complexities and a greater chance of allowing a host to do > > something it shouldn't do. In effect you have to have twice as many > > firewall rules. > > Sorry about the parse errors. What that paragraph means to say is that > not using NAT, but doing the proxy arp tricker that Hans is using, can > result in a situation where, since the host has two actual IP addresses > without NAT, you need twice as many firewall rules to make the DMZ. One > set to govern the public ip address access and another to govern the > traffic to and from the rest of the private hosts. Further, if your > private hosts are on the same private subnet as the dmz hosts, then you > don't have a DMZ at all anymore, and you've now exposed your entire > network through that server should it get compromised.
I never said DMZ. A DMZ is an extra complication no matter how you look at it. I don't have extra firewall rules. The LAN is still limited to the LAN side. The public IPs are still only one set of firewall rules. The interaction between public and private is just as simple or complicated as it was - whether it's a deny policy (as NAT would be) with specific holes punched through, or an allow policy with specific ports blocked. BTW, I didn't end up using any proxy arp at all. It's all routing, and it's not at all complicated; it's 4 static routes. The cisco is broken for icmp from the lan, but it doesn't make a practical difference. -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
