Hi. I just found out something about Shorewall with Proxy ARP. I build a network with multiple live IP addresses, and followed the example using Proxy ARP. With the original DNS setup (prior to shorewall installation), mail, www, ftp are pointing to 1 single address (202.8.83.93) and are located in the LAN. As I moved the mail and www servers (2 different machines) to the DMZ and assigning each of them a unique live IPs, I need a method to move the servers seamlessly. Here''s what I found: In the rule, define: DNAT net dmz:202.8.83.92 tcp 25 - 202.8.83.93 This basically rewrite all packet that goes to 202.8.83.93:25 to 202.8.83.92. I am wondering if this also allows us to define bogus live IPs in the DMZ if we only have 1 public IP? If it''s possible, thus saving us to do the dmz to dmz policy hack as shown in the FAQ. Thanks. ------------------------ Lito Kusnadi, B.Sc. CCNA System Engineer React Solutions Note: The information contained in this transmission may be confidential and intended for the addressee(s) only. If you receive this email in error please notify the sender immediately and delete this message and any attachments from your system. Do not disclose the contents of this message to any other person nor make any copies. Violation of this notice may be unlawful.
On Tuesday 06 January 2004 04:37 am, Lito Kusnadi wrote:> Hi. I just found out something about Shorewall with Proxy ARP. > I build a network with multiple live IP addresses, and followed the > example using Proxy ARP. > With the original DNS setup (prior to shorewall installation), mail, > www, ftp are pointing to 1 single address (202.8.83.93) and are located > in the LAN. As I moved the mail and www servers (2 different machines) > to the DMZ and assigning each of them a unique live IPs, I need a method > to move the servers seamlessly. Here''s what I found: > > In the rule, define: > DNAT net dmz:202.8.83.92 tcp 25 - 202.8.83.93 > This basically rewrite all packet that goes to 202.8.83.93:25 to > 202.8.83.92. > > I am wondering if this also allows us to define bogus live IPs in the > DMZ if we only have 1 public IP? If it''s possible, thus saving us to do > the dmz to dmz policy hack as shown in the FAQ. Thanks.I don''t understand your question. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net