1.) I have a DMZ with 1-3 servers in it. I have static IPs that I can assign to the servers in the DMZ. 2.) Or I could assign IP numbers in the DMZ such as 192.168.1.X. 3.) Or I could actually do both using aliased interfaces. In the case of 1) I can use proxarp. In the case of 2) I can use dnat where the firewall accepts the static IPs and sends them on to the norfc1918 IP. In the case of 3) where the net zone and the local zone(s) need to access the servers in the DMZ, which is best and why? - proxyarp or masq/dnat? I''d like to use case 3 because dropping in a new firewall won''t ripple up the network if I do. -- Sincerely, David Smead http://www.amplepower.com.
On Thu, 11 Apr 2002, David Smead wrote:> > 1.) I have a DMZ with 1-3 servers in it. I have static IPs that I can > assign to the servers in the DMZ. > > 2.) Or I could assign IP numbers in the DMZ such as 192.168.1.X. > > 3.) Or I could actually do both using aliased interfaces. >Are you referring to static NAT?> In the case of 1) I can use proxarp. > > In the case of 2) I can use dnat where the firewall accepts the static IPs > and sends them on to the norfc1918 IP. > > In the case of 3) where the net zone and the local zone(s) need to access > the servers in the DMZ, which is best and why? - proxyarp or masq/dnat? > I''d like to use case 3 because dropping in a new firewall won''t ripple up > the network if I do. >In my opinion, Proxy ARP is the cleanest way to handle a DMZ. 1) The hosts in the DMZ are accessed using the same IP address regardless of where they are accessed from. 2) The hosts in the DMZ know what their real IP address is -- this is helpful for running some services (I ran into problems of this sort when I originally set up my DMZ -- Sorry but I don''t remember which service(s) gave me problems). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, I hope I''m learning something but here goes another round of ignorance. Is the nat file translated into rules that do static nat in both directions? If one server in the dmz has 3 IPs, (aliased) and 2 of them are proxyarp''d can I masquerade the other one, which is a 198.168.1.X? Part of my confusion is not understanding what IP is used on a multiple aliases IP interface for a source address. -- Sincerely, David Smead http://www.amplepower.com. On Fri, 12 Apr 2002, Tom Eastep wrote:> On Thu, 11 Apr 2002, David Smead wrote: > > > > > 1.) I have a DMZ with 1-3 servers in it. I have static IPs that I can > > assign to the servers in the DMZ. > > > > 2.) Or I could assign IP numbers in the DMZ such as 192.168.1.X. > > > > 3.) Or I could actually do both using aliased interfaces. > > > > Are you referring to static NAT? > > > In the case of 1) I can use proxarp. > > > > In the case of 2) I can use dnat where the firewall accepts the static IPs > > and sends them on to the norfc1918 IP. > > > > In the case of 3) where the net zone and the local zone(s) need to access > > the servers in the DMZ, which is best and why? - proxyarp or masq/dnat? > > I''d like to use case 3 because dropping in a new firewall won''t ripple up > > the network if I do. > > > > In my opinion, Proxy ARP is the cleanest way to handle a DMZ. > > 1) The hosts in the DMZ are accessed using the same IP address regardless > of where they are accessed from. > > 2) The hosts in the DMZ know what their real IP address is -- this is > helpful for running some services (I ran into problems of this sort when I > originally set up my DMZ -- Sorry but I don''t remember which service(s) > gave me problems). > > -Tom >
On Fri, 12 Apr 2002, David Smead wrote:> Tom, > > I hope I''m learning something but here goes another round of ignorance. > > Is the nat file translated into rules that do static nat in both > directions?Yes.> > If one server in the dmz has 3 IPs, (aliased) and 2 of them are proxyarp''d > can I masquerade the other one, which is a 198.168.1.X? Part of my > confusion is not understanding what IP is used on a multiple aliases IP > interface for a source address. >For outgoing connection requests, it is the primary interface. Why would you do such a thing though? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, Thanks for confirming the nat question. I''m keeping notes for a mini-primer which I hope will be useful to others. I''m trying to drop shorewall into an existing configuration without backing up into the internal system. We have an ancient firewall running Linux 2.0.36, bubble gum and baling wire, (uptime - 308 days). The server in the dmz has an IP of 192.168.1.10. It runs Apache with virtual servers. The ancient firewall uses an old program called redir which redirects all port 80 traffic for two public IPs to the server in the dmz. Local computers on other internal networks access the dmz server using its private IP. Presently the dmz server is masqueraded so any email it sends is handled properly. So, to avoid changes that disrupt other computers I need to keep the 192.168.1.10 on the server in the dmz. My idea is to alias the interface with the two public IPs. If I can proxyarp the two public IPs on the firewall and masquerade the private number of the dmz in the firewall then nothing should ripple out into the other systems. If I can make things work like that then I can go into the other systems one at a time and change their accesses to one of the public IPs. Then I can revisit the firewall and clean it up. Does any of this make sense. -- Sincerely, David Smead http://www.amplepower.com. On Fri, 12 Apr 2002, Tom Eastep wrote:> On Fri, 12 Apr 2002, David Smead wrote: > > > Tom, > > > > I hope I''m learning something but here goes another round of ignorance. > > > > Is the nat file translated into rules that do static nat in both > > directions? > > Yes. > > > > > If one server in the dmz has 3 IPs, (aliased) and 2 of them are proxyarp''d > > can I masquerade the other one, which is a 198.168.1.X? Part of my > > confusion is not understanding what IP is used on a multiple aliases IP > > interface for a source address. > > > > For outgoing connection requests, it is the primary interface. Why would > you do such a thing though? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > >
David, On Fri, 12 Apr 2002, David Smead wrote:> Tom, > > Thanks for confirming the nat question. I''m keeping notes for a > mini-primer which I hope will be useful to others. > > I''m trying to drop shorewall into an existing configuration without > backing up into the internal system. We have an ancient firewall running > Linux 2.0.36, bubble gum and baling wire, (uptime - 308 days). The server > in the dmz has an IP of 192.168.1.10. It runs Apache with virtual > servers. > > The ancient firewall uses an old program called redir which redirects all > port 80 traffic for two public IPs to the server in the dmz. Local > computers on other internal networks access the dmz server using its > private IP. Presently the dmz server is masqueraded so any email it sends > is handled properly. > > So, to avoid changes that disrupt other computers I need to keep the > 192.168.1.10 on the server in the dmz. My idea is to alias the interface > with the two public IPs. If I can proxyarp the two public IPs on the > firewall and masquerade the private number of the dmz in the firewall then > nothing should ripple out into the other systems. > > If I can make things work like that then I can go into the other systems > one at a time and change their accesses to one of the public IPs. Then I > can revisit the firewall and clean it up.On your new firewall, I would simply use port forwarding to forward port 80 from the two public IPs to your server and SNAT the server''s access to the internet. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net