From reading the documentation, I understand that it is recommended to put servers that may be at risk in a DMZ served via proxy-arp. In this case, the local clients that are behind a NAT would have their connections to the DMZ masqueraded, yes? Is there any way around this that would still be considered secure? Just looking for advice. Thanks, A.
Adam Sherman wrote:> From reading the documentation, I understand that it is recommended to > put servers that may be at risk in a DMZ served via proxy-arp. In this > case, the local clients that are behind a NAT would have their > connections to the DMZ masqueraded, yes?No -- not unless you are foolish enough to set it up that way. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>From reading the documentation, I understand that it is recommended to >>put servers that may be at risk in a DMZ served via proxy-arp. In this >>case, the local clients that are behind a NAT would have their >>connections to the DMZ masqueraded, yes? > > No -- not unless you are foolish enough to set it up that way.Ah, I misread the "corporate network" example then. So, the private IP connections to the public IP DMZ would be routed, simply? Thanks, A.
Adam Sherman wrote:> Tom Eastep wrote: > >>> From reading the documentation, I understand that it is recommended to >>> put servers that may be at risk in a DMZ served via proxy-arp. In this >>> case, the local clients that are behind a NAT would have their >>> connections to the DMZ masqueraded, yes? >> >> >> No -- not unless you are foolish enough to set it up that way. > > > Ah, I misread the "corporate network" example then. So, the private IP > connections to the public IP DMZ would be routed, simply? >You -- unless you have an entry in /etc/shorewall/masq for that traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Adam Sherman wrote: > >>Tom Eastep wrote: >> >> >>>>From reading the documentation, I understand that it is recommended to >>>>put servers that may be at risk in a DMZ served via proxy-arp. In this >>>>case, the local clients that are behind a NAT would have their >>>>connections to the DMZ masqueraded, yes? >>> >>> >>>No -- not unless you are foolish enough to set it up that way. >> >> >>Ah, I misread the "corporate network" example then. So, the private IP >>connections to the public IP DMZ would be routed, simply? >> > > > You -- unless you have an entry in /etc/shorewall/masq for that traffic. >Rather "Yes -- unless..." -Tom PS == I shouldn''t try type while I''m on a conference call :-) -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key