Simon Chalk
2003-Jan-05 08:10 UTC
[Shorewall-users] Shorewall DMZ - Proxy ARP or Static NAT
Hi All,>From the documentation I have read on Shorewall, the preferred approachseems to be, to use Proxy ARP instead of Static NAT for hosting web servers in the DMZ Zone. But I have also read that this could cause problems for VPN configurations. I essentially have multiple public IP''s, which I want to map to private addresses in the DMZ. I also intend to setup a gateway between 2 networks using the same Firewall. So am I correct in saying that I should really be using Static NAT? But since Proxy ARP is the preferred approach, I wondered whether there are any issues with SNAT that I should be aware about? Any help would be much appreciated. Regards, Simon Chalk.
Tom Eastep
2003-Jan-05 19:33 UTC
[Shorewall-users] Shorewall DMZ - Proxy ARP or Static NAT
--On Sunday, January 05, 2003 4:10 PM +0000 Simon Chalk <zen10984@zen.co.uk> wrote:> Hi All, > >> From the documentation I have read on Shorewall, the preferred approach > seems to be, to use Proxy ARP instead of Static NAT for hosting web > servers in the DMZ Zone. But I have also read that this could cause > problems for VPN configurations.Can you give us just one clue about what you are talking about? I''ve read that the earth is flat too but I put very little store in the notion...> I essentially have multiple public IP''s, which I want to map to private > addresses in the DMZ. I also intend to setup a gateway between 2 networks > using the same Firewall. > > So am I correct in saying that I should really be using Static NAT? But > since Proxy ARP is the preferred approach, I wondered whether there are > any issues with SNAT that I should be aware about? >I stand my my advice in the setup guide (http://shorewall.sf.net/shorewall_setup_guide.htm) unless you can convince me otherwise. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jan-05 20:03 UTC
[Shorewall-users] Shorewall DMZ - Proxy ARP or Static NAT
--On Sunday, January 05, 2003 7:32 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Sunday, January 05, 2003 4:10 PM +0000 Simon Chalk > <zen10984@zen.co.uk> wrote:>> But I have also read that this could cause >> problems for VPN configurations. > > Can you give us just one clue about what you are talking about? I''ve read > that the earth is flat too but I put very little store in the notion...Are you talking about the problem with FreeS/WAN? AFAIK, the workaround that I recommend works fine to avoid that problem. Does anyone have any evidence to the contrary? BTW -- that problem is just one of the weaknesses in the FreeS/WAN implementation. The IPSEC facility included in the 2.5 Linux Kernel doesn''t use the FreeS/WAN base. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net