Lars Erik Dangvard Jensen wrote: > Shorewall Guy skrev: >> Lars Erik Dangvard Jensen wrote: >>> Hello list >>> >>> eth0 is the public interface and eth1 is supposed to be connected to a >>> private lan using proxy arp and nat. >>> >>> Is it possible to use eth1 with both proxy arp and nat, or will this >>> cause problems? >>> >>> I have proxy arp and nat working on another shorewall, but that's with 4 >>> interfaces (separate proxy arp and nat interfaces). >> Should work fine. > > Ok, the zones dmz1 (NAT) and dmz2 (Proxy ARP) obviously can't be on the > same interface unless using parallel or nested zones. > > Can a the proxy arp zone be a nested zone of the nat zone? Or do I have > to use parallel zones?
Proxy arp is a way to trick L2 into sending packets to the router; NAT rewrites IP addresses in the IP header. These are IP-related features that have nothing to do with security. Zones are security objects. So there is no reason to have separate security zones for the two classes of servers. They would be useless anyway since once a server is successfully rooted, the attacker has full access to the other servers on the LAN segment without going through the firewall. I will warn you that what you are trying to do can be a real PITA to get working if the NAT servers need to communicate with the Proxy ARPed servers or vice versa. In each server, you will need to configure direct routes to the servers of the other type. Split DNS is a must. ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
