For a new firewall I want to use a combination of proxyarp and NAT. Proxyarp because it has many advantages over nat for several protocols and NAT because we have limited public IPs and it''s easier to save some with NAT. Is there any good reason not to use a combination of both? Do I miss something here? Simon
I''m using both, albeit for different subnets (proxy ARP for the DMZ, and NAT for the internal network). It seems to be a fairly common solution to the problem. It would be a little odd to run both on the same network--you''d have both public and private IPs on the same wire--but it should work OK. - Bradey -----Original Message----- From: Simon Matter [mailto:simon.matter@ch.sauter-bc.com] Sent: Tuesday, July 02, 2002 10:59 PM To: shorewall-users Subject: [Shorewall-users] proxyarp and nat For a new firewall I want to use a combination of proxyarp and NAT. Proxyarp because it has many advantages over nat for several protocols and NAT because we have limited public IPs and it''s easier to save some with NAT. Is there any good reason not to use a combination of both? Do I miss something here? Simon _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
On Wed, 3 Jul 2002, Simon Matter wrote:> For a new firewall I want to use a combination of proxyarp and NAT. > Proxyarp because it has many advantages over nat for several protocols > and NAT because we have limited public IPs and it''s easier to save some > with NAT. > > Is there any good reason not to use a combination of both? Do I miss > something here? >I hope not since that''s what I do :-) See http://www.shorewall.net/myfiles.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep schrieb:> > On Wed, 3 Jul 2002, Simon Matter wrote: > > > For a new firewall I want to use a combination of proxyarp and NAT. > > Proxyarp because it has many advantages over nat for several protocols > > and NAT because we have limited public IPs and it''s easier to save some > > with NAT. > > > > Is there any good reason not to use a combination of both? Do I miss > > something here? > > > > I hope not since that''s what I do :-) See > http://www.shorewall.net/myfiles.htm.I have seen your myfiles.htm before which is my best quickstart and howto in one document :) But, you don''t do what I''m planning to do, so this is wat I want: Imagine your own configuration but you move ''ursa'' into the DMZ, you give ''ursa'' the IP 192.168.2.2, and you''re doing S/D-NAT 206.124.146.178 <-> 192.168.2.2. Another way could be to just forward ports, say 206.124.146.178:80 -> 192.168.2.2. Is it still okay? If not, should I create two separate DMZ''s, one for proxyarp, the other for NAT/portforwaring? Simon> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Thu, 4 Jul 2002, Simon Matter wrote:> But, you don''t do what I''m planning to do, so this is wat I want: > > Imagine your own configuration but you move ''ursa'' into the DMZ, you > give ''ursa'' the IP 192.168.2.2, and you''re doing S/D-NAT 206.124.146.178 > <-> 192.168.2.2. Another way could be to just forward ports, say > 206.124.146.178:80 -> 192.168.2.2. Is it still okay? >Yes -- for the system in the DMZ to be able to communicate with each other though you would need to add hosts routes on each system.> If not, should I create two separate DMZ''s, one for proxyarp, the other > for NAT/portforwaring?That would make the routing more straight-forward. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net