Hi everyone, I have a question regarding the default gateway for hosts on DMZ zone. I moved servers from parallel to the DMZ (outside the firewall, directly connected to I-net) to inside DMZ. The default gw for these servers was the DSL router(bridge) of my ISP. What should be the default gw (for the hosts inside the DMZ), when hosts are inside the DMZ now - still the DSL router (external routable IP Address) or the network interface for the DMZ zone - 10.10.200.1 (non-routable one)? I searched the documentation, but couldn''t find an answer. Appriciate your help. Thank you in advance. Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
On Mon, 13 Jan 2003, Trifon Anguelov wrote:> I have a question regarding the default gateway for hosts on DMZ zone. I > moved servers from parallel to the DMZ (outside the firewall, directly > connected to I-net) to inside DMZ. The default gw for these servers was > the DSL router(bridge) of my ISP. > > What should be the default gw (for the hosts inside the DMZ), when hosts > are inside the DMZ now - still the DSL router (external routable IP > Address) or the network interface for the DMZ zone - 10.10.200.1 > (non-routable one)?It would normally be the network interface of your DMZ interface on your FW/router. The host must know how to get to the gw. 9 times out of 10 the routing information in these hosts is only sufficient to get to hosts on the LAN. That implies it the host will only know how to get to the 10. network and that the gw/FW is needed move packets on their merry way. Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com
--On Tuesday, January 14, 2003 09:10:10 AM +0800 Ed Greshko <Ed.Greshko@greshko.com> wrote:> On Mon, 13 Jan 2003, Trifon Anguelov wrote: > >> I have a question regarding the default gateway for hosts on DMZ zone. I >> moved servers from parallel to the DMZ (outside the firewall, directly >> connected to I-net) to inside DMZ. The default gw for these servers was >> the DSL router(bridge) of my ISP. >> >> What should be the default gw (for the hosts inside the DMZ), when hosts >> are inside the DMZ now - still the DSL router (external routable IP >> Address) or the network interface for the DMZ zone - 10.10.200.1 >> (non-routable one)? > > It would normally be the network interface of your DMZ interface on your > FW/router. > > The host must know how to get to the gw. 9 times out of 10 the routing > information in these hosts is only sufficient to get to hosts on the LAN. > That implies it the host will only know how to get to the 10. network and > that the gw/FW is needed move packets on their merry way. >Except when Proxy ARP is being used. To quote http://shorewall.sf.net/ProxyARP.htm: "The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system''s eth0 is configured." I will update http://shorewall.sf.net/shorewall_setup_guide.htm to include this same information. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Mon, 13 Jan 2003, Tom Eastep wrote:> Except when Proxy ARP is being used. To quoteOoopss....forgot about that... Ed
Once, again. Thank you for the detailed information provided. I will have that in mind. It was great help. Trifon Tom Eastep <teastep@shorewall.net> wrote: --On Tuesday, January 14, 2003 09:10:10 AM +0800 Ed Greshko wrote:> On Mon, 13 Jan 2003, Trifon Anguelov wrote: > >> I have a question regarding the default gateway for hosts on DMZ zone. I >> moved servers from parallel to the DMZ (outside the firewall, directly >> connected to I-net) to inside DMZ. The default gw for these servers was >> the DSL router(bridge) of my ISP. >> >> What should be the default gw (for the hosts inside the DMZ), when hosts >> are inside the DMZ now - still the DSL router (external routable IP >> Address) or the network interface for the DMZ zone - 10.10.200.1 >> (non-routable one)? > > It would normally be the network interface of your DMZ interface on your > FW/router. > > The host must know how to get to the gw. 9 times out of 10 the routing > information in these hosts is only sufficient to get to hosts on the LAN. > That implies it the host will only know how to get to the 10. network and > that the gw/FW is needed move packets on their merry way. >Except when Proxy ARP is being used. To quote http://shorewall.sf.net/ProxyARP.htm: "The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system''s eth0 is configured." I will update http://shorewall.sf.net/shorewall_setup_guide.htm to include this same information. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net Visit my Web Site: http://www.dbaclick.com Tons of Oracle DBA''s scripts, articles, manuals and documents My profile: http://profiles.yahoo.com/clio_usa --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now