Hi to every one!
I´m reading about MultiISP and Shorewall.
I have 5 IPs from my provider and i need to know if it´s possible use only
one NIC for those providers.
All of this IPs come in only one Modem from this provider.
I need to put 5 NICs or i can use only one with the colon ":"
I read this link http://www.shorewall.net/4.4/MultiISP.html and this
http://www.shorewall.net/4.4/MultiISP.html#Shared
This line make me think "this is not the way"
*Where multiple providers share the same interface (which is not
recommended), you must follow the name of the interface by a colon
(":")
and the IP address assigned by this provider (e.g., eth0:206.124.146.176). *
I will use only one IP to LAN Clients and the other 4 WAN IPs will be used
for webserver, mysql servers and others thinks but only for access from the
outside of the network.
Thanks in advance and best regards.
--
Emiliano A. Vazquez
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 6/5/12 4:24 PM, Emiliano Vazquez wrote:> Hi to every one! > > I´m reading about MultiISP and Shorewall. > > I have 5 IPs from my provider and i need to know if it´s possible use > only one NIC for those providers.You have *one* provider, not 5.> All of this IPs come in only one Modem from this provider. > > I need to put 5 NICs or i can use only one with the colon ":" > > I read this link http://www.shorewall.net/4.4/MultiISP.html and this > http://www.shorewall.net/4.4/MultiISP.html#Shared > > This line make me think "this is not the way" > *Where multiple providers share the same interface (which is not > recommended), you must follow the name of the interface by a colon (":") > and the IP address assigned by this provider (e.g., eth0:206.124.146.176). *That article isn''t what you want.> > I will use only one IP to LAN Clients and the other 4 WAN IPs will be > used for webserver, mysql servers and others thinks but only for access > from the outside of the network. > > Thanks in advance and best regards.What I recommend is a three-interface configuration: 1. WAN 2. LAN 3. DMZ Your servers are attached to the DMZ interface and use Proxy ARP. You have enough addresses for 4 servers. See these two articles: http://www.shorewall.net/shorewall_setup_guide.htm http://www.shorewall.net/ProxyARP.htm -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 6/5/12 4:24 PM, Emiliano Vazquez wrote:> Hi to every one! > > I´m reading about MultiISP and Shorewall. > > I have 5 IPs from my provider and i need to know if it´s possible use > only one NIC for those providers. > All of this IPs come in only one Modem from this provider. > > I need to put 5 NICs or i can use only one with the colon ":" > > I read this link http://www.shorewall.net/4.4/MultiISP.html and this > http://www.shorewall.net/4.4/MultiISP.html#Shared > > This line make me think "this is not the way" > *Where multiple providers share the same interface (which is not > recommended), you must follow the name of the interface by a colon (":") > and the IP address assigned by this provider (e.g., eth0:206.124.146.176). * > > I will use only one IP to LAN Clients and the other 4 WAN IPs will be > used for webserver, mysql servers and others thinks but only for access > from the outside of the network. > > Thanks in advance and best regards.Rather than the Shorewall setup guide, use this one -- it is much smaller and only covers your particular case. http://www.shorewall.net/three-interface.htm -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks Tom. I will read both. I dont understand about why three ifaces. I hace 5 WAN IPs not LANs. Best regards. Emiliano Emiliano Vazquez | PcCentro S.R.L. Callao 80 | CP 1022 | C.A.B.A. Office: +54 (11) 4951-0203 / 4155 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar -----Original Message----- From: Tom Eastep <teastep@shorewall.net> Date: Tue, 05 Jun 2012 16:48:18 To: <shorewall-users@lists.sourceforge.net> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Multi ISP and one Interface ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom, i read again your mail. I have only one provider who give me only one modem and it give me 5 public Ip address for use. I need use 1 public ip address for the users in the lan (with routerback option to get using the same ip always i supposse). The other 4 ips are for services over the wan side. For web servers and some mysql servers. IP1 => werbserver (port80) at 192.168.0.10:80 IP2 => webserver (port80) at 192.168.0.11:90 And so on. Best regards. Emiliano Vazquez Emiliano Vazquez | PcCentro S.R.L. Callao 80 | CP 1022 | C.A.B.A. Office: +54 (11) 4951-0203 / 4155 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar -----Original Message----- From: Tom Eastep <teastep@shorewall.net> Date: Tue, 05 Jun 2012 16:48:18 To: <shorewall-users@lists.sourceforge.net> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Multi ISP and one Interface ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
emilianovazquez@gmail.com wrote:>I dont understand about why three ifaces. I hace 5 WAN IPs not LANs.IP address is different to network and is different to provider. You have one provider, and he is giving you (I assume) what is known as a /29 subnet which contains a block 8 IP addresses. Of these, 2 are not usable, and one will be used by the provider for their end of the connection - leaving you with 5 to use yourself. Eg, if the subnet were a.b.c.0/29, then a.b.c.0 is not usable, a.b.c.1 might be used by the provider for their end of the connection, and a.b.c.2 through a.b.c.6 will be available for you to use. a.b.c.7 is not usable (it''s the broadcast address for the network). All these addresses belong to one network - which would be your WAN interface. http://en.wikipedia.org/wiki/Subnetwork What you do inside is up to you. As a minimum you''d need a LAN interface for all your own stuff. Typically people use an RFC1918 address such as 192.168.x.0/24 which is reserved for such use and cannot be routed across the internet. http://en.wikipedia.org/wiki/Private_network To make this usable to connect to the internet, you need to use NAPT (usually just written as NAT) which will change the source address (and possibly port) of outgoing packets so they have one of your public IPs, and reverses the change on reply packets. http://en.wikipedia.org/wiki/Network_address_translation With this minimal setup, you could use port forwarding to make outside packets addressed to a particular public IP be routed to a specific internal machine. Thus packets addressed to a.c.b.3 could be sent to 192.168.57.23 - which might be your web server. What Tom is suggesting is that (for security) you should have a third network - often referred to as a DMZ, De-Militarised Zone after the strip of land separating two opposing forces in land warfare. In this case, the DMZ is between the hostile internet and your internal network. By putting your public facing servers in a separate network, should they be compromised, this doesn''t give the attacker full access to your internal network. Again, this network would have a private (RFC1918) address, and you''d use proxy ARP to make it appear to be on the outside of your gateway - while it''s actually behind a firewall which restricts the traffic that can get to it, and hence reduces the scope for attacks. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi Simon! thanks for your time!> IP address is different to network and is different to provider. > > You have one provider, and he is giving you (I assume) what is known > as a /29 subnet which contains a block 8 IP addresses. Of these, 2 > are not usable, and one will be used by the provider for their end of > the connection - leaving you with 5 to use yourself. > > Eg, if the subnet were a.b.c.0/29, then a.b.c.0 is not usable, > a.b.c.1 might be used by the provider for their end of the > connection, and a.b.c.2 through a.b.c.6 will be available for you to > use. a.b.c.7 is not usable (it''s the broadcast address for the > network). > > All these addresses belong to one network - which would be your WAN > interface. > http://en.wikipedia.org/wiki/Subnetwork > > > Ok. My mistake.I have this configuration. My first question was about how to configure shorewall with this escenario and how it will work. Reading on shorewall.neti found something about "there is no good idea to get working more than one ISP on the same link". I assume this works to for one ISP with multiple Public IP address. Please let me know how configure 5 public IPs on the same NIC and tell shorewall "there are 5 publics IPs". I can resolve this in my head!> What you do inside is up to you. As a minimum you''d need a LAN > interface for all your own stuff. Typically people use an RFC1918 > address such as 192.168.x.0/24 which is reserved for such use and > cannot be routed across the internet. > http://en.wikipedia.org/wiki/Private_network > To make this usable to connect to the internet, you need to use NAPT > (usually just written as NAT) which will change the source address > (and possibly port) of outgoing packets so they have one of your > public IPs, and reverses the change on reply packets. > http://en.wikipedia.org/wiki/Network_address_translation > > With this minimal setup, you could use port forwarding to make > outside packets addressed to a particular public IP be routed to a > specific internal machine. Thus packets addressed to a.c.b.3 could be > sent to 192.168.57.23 - which might be your web server. > > > Thanks for take the time to explain this. I already know this but alwaysis helpfull read again this information.> What Tom is suggesting is that (for security) you should have a third > network - often referred to as a DMZ, De-Militarised Zone after the > strip of land separating two opposing forces in land warfare. In this > case, the DMZ is between the hostile internet and your internal > network. > By putting your public facing servers in a separate network, should > they be compromised, this doesn''t give the attacker full access to > your internal network. > Again, this network would have a private (RFC1918) address, and you''d > use proxy ARP to make it appear to be on the outside of your gateway > - while it''s actually behind a firewall which restricts the traffic > that can get to it, and hence reduces the scope for attacks. > > Ok. I will try to isolate the servers on the DMZ. I don´t know if there ispossible to use a diferent network for the servers yet. Best regards. Emiliano ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/06/2012 12:17 AM, Simon Hobson wrote:> What Tom is suggesting is that (for security) you should have a third > network - often referred to as a DMZ, De-Militarised Zone after the > strip of land separating two opposing forces in land warfare. In this > case, the DMZ is between the hostile internet and your internal > network. > By putting your public facing servers in a separate network, should > they be compromised, this doesn''t give the attacker full access to > your internal network. > Again, this network would have a private (RFC1918) address, and you''d > use proxy ARP to make it appear to be on the outside of your gateway > - while it''s actually behind a firewall which restricts the traffic > that can get to it, and hence reduces the scope for attacks. >Small correction -- the DMZ would have public addresses and proxy ARP would make it appear to be outside of the firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Emiliano Vazquez wrote:>Reading on <http://shorewall.net>shorewall.net i found something >about "there is no good idea to get working more than one ISP on the >same link". I assume this works to for one ISP with multiple Public >IP address.Forget about multiple ISPs, it is completely irrelevant to your situation. Multiple IPs is completely unrelated to multiple ISPs.>Please let me know how configure 5 public IPs on the same NIC and >tell shorewall "there are 5 publics IPs". I can resolve this in my >head!Try http://shorewall.net/Shorewall_and_Aliased_Interfaces.html or http://shorewall.net/ProxyARP.htm Tom Eastep wrote:>Small correction -- the DMZ would have public addresses and proxy ARP >would make it appear to be outside of the firewall.Ah yes - well spotted Or he can use private addressing and port forwarding (which I''m not personally a fan of). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks Simon and Tom A lot of reading is waiting for me. I will post the results of the my work. Regards! Emiliano Emiliano Vazquez | PcCentro S.R.L. Callao 80 | CP 1022 | C.A.B.A. Office: +54 (11) 4951-0203 / 4155 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar -----Original Message----- From: Simon Hobson <linux@thehobsons.co.uk> Date: Wed, 6 Jun 2012 16:16:25 To: Shorewall Users<shorewall-users@lists.sourceforge.net> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Multi ISP and one Interface Emiliano Vazquez wrote:>Reading on <http://shorewall.net>shorewall.net i found something >about "there is no good idea to get working more than one ISP on the >same link". I assume this works to for one ISP with multiple Public >IP address.Forget about multiple ISPs, it is completely irrelevant to your situation. Multiple IPs is completely unrelated to multiple ISPs.>Please let me know how configure 5 public IPs on the same NIC and >tell shorewall "there are 5 publics IPs". I can resolve this in my >head!Try http://shorewall.net/Shorewall_and_Aliased_Interfaces.html or http://shorewall.net/ProxyARP.htm Tom Eastep wrote:>Small correction -- the DMZ would have public addresses and proxy ARP >would make it appear to be outside of the firewall.Ah yes - well spotted Or he can use private addressing and port forwarding (which I''m not personally a fan of). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/06/2012 08:16 AM, Simon Hobson wrote:> Tom Eastep wrote: > >> Small correction -- the DMZ would have public addresses and proxy ARP >> would make it appear to be outside of the firewall. > > Ah yes - well spotted > Or he can use private addressing and port forwarding (which I''m not > personally a fan of). >Nor am I -- 1:1 Nat is also a possibility, but I still prefer proxy ARP. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wed, Jun 6, 2012 at 12:35 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 06/06/2012 08:16 AM, Simon Hobson wrote: > > > Tom Eastep wrote: > > > >> Small correction -- the DMZ would have public addresses and proxy ARP > >> would make it appear to be outside of the firewall. > > > > Ah yes - well spotted > > Or he can use private addressing and port forwarding (which I''m not > > personally a fan of). > > > > Nor am I -- 1:1 Nat is also a possibility, but I still prefer proxy ARP. > >I don''t understand why not use port fordwarding to make this. Do you have any document to read to get clearly about this. I never think in use 1:1 nat or proxy ARP when i accept this work. Best regards. Emiliano Vazquez. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/06/2012 08:45 AM, Emiliano Vazquez wrote:> On Wed, Jun 6, 2012 at 12:35 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > On 06/06/2012 08:16 AM, Simon Hobson wrote: > > > Tom Eastep wrote: > > > >> Small correction -- the DMZ would have public addresses and > proxy ARP > >> would make it appear to be outside of the firewall. > > > > Ah yes - well spotted > > Or he can use private addressing and port forwarding (which I''m not > > personally a fan of). > > > > Nor am I -- 1:1 Nat is also a possibility, but I still prefer proxy ARP. > > > > I don''t understand why not use port fordwarding to make this. Do you > have any document to read to get clearly about this. > I never think in use 1:1 nat or proxy ARP when i accept this work.If you use port forwarding or 1:1 NAT, then each of your servers has two IP addresses; one known to the outside world and one known locally. This means that you either have to use split DNS or you have to use hacks if you want the servers to be able to find each other using DNS. If the servers are placed in the LAN, then the hacks are really bad -- see Shorewall FAQ 2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Ok Tom, its true. Very clear your explanation! Best regards. Emiliano Emiliano Vazquez | PcCentro S.R.L. Callao 80 | CP 1022 | C.A.B.A. Office: +54 (11) 4951-0203 / 4155 Celular: 15.6253.7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar -----Original Message----- From: Tom Eastep <teastep@shorewall.net> Date: Wed, 06 Jun 2012 08:56:53 To: <shorewall-users@lists.sourceforge.net> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Multi ISP and one Interface On 06/06/2012 08:45 AM, Emiliano Vazquez wrote:> On Wed, Jun 6, 2012 at 12:35 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > On 06/06/2012 08:16 AM, Simon Hobson wrote: > > > Tom Eastep wrote: > > > >> Small correction -- the DMZ would have public addresses and > proxy ARP > >> would make it appear to be outside of the firewall. > > > > Ah yes - well spotted > > Or he can use private addressing and port forwarding (which I''m not > > personally a fan of). > > > > Nor am I -- 1:1 Nat is also a possibility, but I still prefer proxy ARP. > > > > I don''t understand why not use port fordwarding to make this. Do you > have any document to read to get clearly about this. > I never think in use 1:1 nat or proxy ARP when i accept this work.If you use port forwarding or 1:1 NAT, then each of your servers has two IP addresses; one known to the outside world and one known locally. This means that you either have to use split DNS or you have to use hacks if you want the servers to be able to find each other using DNS. If the servers are placed in the LAN, then the hacks are really bad -- see Shorewall FAQ 2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
I second what Tom said. I''ve used both port forwarding and 1:1 NAT and it can be a lot of work and is error prone when having to update two zone files for every change. Split DNS is a hassle. It gets even more fun when you have a mail server on a NATed network and you have to create two different MX records. I''m currently using proxy ARP on my DMZ and it works seamlessly. -jason. ---------------------- Jason Murray jason@catapultweb.com http://www.catapultweb.com -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, June 06, 2012 11:57 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Multi ISP and one Interface On 06/06/2012 08:45 AM, Emiliano Vazquez wrote:> On Wed, Jun 6, 2012 at 12:35 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > On 06/06/2012 08:16 AM, Simon Hobson wrote: > > > Tom Eastep wrote: > > > >> Small correction -- the DMZ would have public addresses and > proxy ARP > >> would make it appear to be outside of the firewall. > > > > Ah yes - well spotted > > Or he can use private addressing and port forwarding (which I''mnot> > personally a fan of). > > > > Nor am I -- 1:1 Nat is also a possibility, but I still preferproxy ARP.> > > > I don''t understand why not use port fordwarding to make this. Do you > have any document to read to get clearly about this. > I never think in use 1:1 nat or proxy ARP when i accept this work.If you use port forwarding or 1:1 NAT, then each of your servers has two IP addresses; one known to the outside world and one known locally. This means that you either have to use split DNS or you have to use hacks if you want the servers to be able to find each other using DNS. If the servers are placed in the LAN, then the hacks are really bad -- see Shorewall FAQ 2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------ ------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/