Ok, let''s try again. I hate ascii art ;-(
Thanks for all the answers. As we say here, "Living and Learning".
But now, I don''t know how, in my implementation, I could use a
proxy-arp.
Let me try a little ascii art:
ISP1 - ROUTER1 - eth0.FW1.eth1 -
DMZ (W32 SERVERS) - eth0.INT-FW.eth1 - loc
ISP2 - ROUTER2 - eth0.FW2.eth1 -
as you can see, a very uncommon implementation - due to a lack of
knowledge of my part, may be. The w32 servers each have two net cards.
Each card has a different address and has a different default gateway
(Firewall1 or Firewall2). Each gateway does NAT for the net card that has
itself as Default Gateway. The external firewalls run BIND for my public
domains. Each w32 server has two public addresses, one for each external
firewall. This is the only way I could think to make the w32 servers
answer both public addresses - you know, I like better study linux than
windows ;-). Any way, I?ve achieved the redundance I would like to have.
Worst Problem:
- In this setup, my local net cannot reach the w32 servers using the
public addresses given by the external servers. I had to put a third BIND
in my local net to resolve the addresses (I don''t like bind zones);
Doubt:
- using proxy-arp, could I:
- proxy-arp each net card in the w32 servers to their respective
default gateways?
- proxy-arp the servers to the internal firewall so that the local
net uses their public address to reach them?
TIA and sorry for the long post,
Duda
shorewall-users-bounces@lists.shorewall.net wrote on 22/09/2003 22:10:00:
> On Mon, 22 Sep 2003, Alex Martin wrote:
>
> >
> > I have been using the three interface setup using a DMZ and proxyarp
> > flawlessly for couple years now. Of course this is not the only
application> > for proxy arp related to shorewall, just the example I use for this
little> > monologue.
> >
> > http://www.shorewall.net/three-interface.htm
> >
> > http://www.shorewall.net/ProxyARP.htm
> >
> > (Comments anyone, does this all sound accurate? clear?)
> >
>
> I would substitute http://www.shorewall.net/shorewall_setup_guide.htm
for> the three-interface guide; it covers ProxyARP used in a three-interface
> setup.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.
> net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
On Tue, 2003-09-23 at 08:09, Eduardo Ferreira wrote:> Ok, let''s try again. I hate ascii art ;-( > > Thanks for all the answers. As we say here, "Living and Learning". > > But now, I don''t know how, in my implementation, I could use a proxy-arp. > Let me try a little ascii art: > > ISP1 - ROUTER1 - eth0.FW1.eth1 - > DMZ (W32 SERVERS) - eth0.INT-FW.eth1 - loc > ISP2 - ROUTER2 - eth0.FW2.eth1 - > > > as you can see, a very uncommon implementation - due to a lack of > knowledge of my part, may be. The w32 servers each have two net cards. > Each card has a different address and has a different default gateway > (Firewall1 or Firewall2). Each gateway does NAT for the net card that has > > itself as Default Gateway. The external firewalls run BIND for my public > domains. Each w32 server has two public addresses, one for each external > firewall. This is the only way I could think to make the w32 servers > answer both public addresses - you know, I like better study linux than > windows ;-). Any way, I?ve achieved the redundance I would like to have. > > Worst Problem: > - In this setup, my local net cannot reach the w32 servers using the > public addresses given by the external servers. I had to put a third BIND > > in my local net to resolve the addresses (I don''t like bind zones); > > Doubt: > - using proxy-arp, could I: > - proxy-arp each net card in the w32 servers to their respectiveYes.> default gateways? > - proxy-arp the servers to the internal firewall so that the local > > net uses their public address to reach them?No -- all you need for that are host routes to the servers via eth0 on INT-FW. -Tom -- Nothing is foolproof to a sufficiently talented fool
thank you a lot Tom, I''ll give a try in the weekend (production servers cannot be tinkered with during weekdays. As they are w32, I''m pretty sure I''ll have to boot them sometime in the process). One more doubt: - I use masq and have a nat pool in the external firewalls, so that my users in local net can PPTP to a branch network. Is this a problem? TIA, Duda ps: hey Tom, has anybody said before that Shorewall rocks? It surely does! shorewall-users-bounces@lists.shorewall.net (Tom Eastep) wrote on 23/09/2003 12:45:13:> On Tue, 2003-09-23 at 08:09, Eduardo Ferreira wrote:[...snip...]> > ISP1 - ROUTER1 - eth0.FW1.eth1 - > > DMZ (W32 SERVERS) - eth0.INT-FW.eth1 -loc> > ISP2 - ROUTER2 - eth0.FW2.eth1 - > > > >[...snip...]> > Doubt: > > - using proxy-arp, could I: > > - proxy-arp each net card in the w32 servers to theirrespective> > Yes. > > > default gateways? > > - proxy-arp the servers to the internal firewall so that thelocal> > > > net uses their public address to reach them? > > No -- all you need for that are host routes to the servers via eth0 on > INT-FW. > > -Tom > -- > Nothing is foolproof to a sufficiently talented fool >
On Tue, 2003-09-23 at 10:59, Eduardo Ferreira wrote:> thank you a lot Tom, I''ll give a try in the weekend (production servers > cannot be tinkered with during weekdays. As they are w32, I''m pretty sure > I''ll have to boot them sometime in the process). > > One more doubt: > - I use masq and have a nat pool in the external firewalls, so that my > users in local net can PPTP to a branch network. Is this a problem?Shouldn''t be. -Tom -- Nothing is foolproof to a sufficiently talented fool