On 8 Sep 2011, at 23:44, Ryan Ferguson wrote:
> ok, thank you, but I'm not sure that it'll work for this situation will it?.
> I already have three interfaces in the machine because there are two lans on
> separate subnets and some of the servers cannot be located on the dmz with a
> public address cause they are domain controllers. Is there a way I can keep
> the current lan setups since some of them are also on xen machines running on
> the lan?
>
A couple of things come to mind, depending on exactly what you require:
1) If there are hosts in your DMZ that shouldn't be publicly accessible at all
[!], then add another zone + interface (say srv) and put your DCs (et al.) in
it. Use the same private block you currently do for your DMZ. Make your DMZ use
the actual public IP block. Connect both srv and dmz networks to your Xen
hosts, and set up the interface connections for the guest VMs to use one or the
other as appropriate.
2) If you don't want to change IP of the DCs, but they do provide public
services, you could add a nat rule for LAN->DMZ so that local machines can get
the DC on its old private address, as well as on its public one.
If proxyarp and NAT coexist, then things get a bit ugly if you need those
machines to talk to each other - because even if you have split-horizon DNS,
then you'd need to use routeback to get the connection to work. So I would
strongly recommend avoiding that arrangement.
For (1), if you can't add another physical interface, then you could do it with
VLAN ones, using the 8021q kernel module.
- Dominic
------------------------------------------------------------------------------
Why Cloud-Based Security and Archiving Make Sense
Osterman Research conducted this study that outlines how and why cloud
computing security and archiving is rapidly being adopted across the IT
space for its ease of implementation, lower cost, and increased
reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
