Shorewall users - Oct 2003 - Alias interface to test DMZ?

I''m thinking about moving my public server (behind the FW) to a DMZ,
but I
don''t have another network card for it yet.
So, I''m wondering if I can set it up using the interface alias setups?
I
realise that it probably won''t give me any more security, but as
it''s all on
one big subnet right now anyway, I don''t think that''ll matter.
Basically, I want to use it to configure the rules and forwarding. 
I''ll
setup (but comment) the config. for the Real network card (in the interfaces
file and whatnot), such that when I get it installed, it should be a fairly
simple matter of commenting and uncommenting a few various lines to get it
all working properly.

Is this possible, and a desirable way of doing a setup like this?  And are
there any security issues with this that I may not have realised (over and
above having everything on one big network)?
Thanks very much!
Adam, trying to do things properly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031023/7b6a0b4a/attachment.bin

On Thu, 2003-10-23 at 08:09, Adam Scriven wrote:
> I''m thinking about moving my public server (behind the FW) to a
DMZ, but I
> don''t have another network card for it yet.
> So, I''m wondering if I can set it up using the interface alias
setups?
> Is this possible, and a desirable way of doing a setup like this?
If you plan to use Proxy ARP, then you won''t be able to test this way
(you will have two hosts responding to ARP requests for the external
address).

If you plan to use static NAT or port forwarding, then you can test this
way.
> And are
> there any security issues with this that I may not have realised (over and
> above having everything on one big network)?
If you use port forwarding with masquerade/SNAT, a clever hacker on your
external subnet could launch attacks through your firewall unless you
use MAC validation on your DMZ.

Regardless of how you manage your DMZ, when you make the change to place
your server behind your firewall, you will have an issue with the ARP
cache in your ISP''s router. This issue is discussed in the Shorewall
Proxy ARP documentation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net