I am changing provider. The new provider gives out five public dynamic IP-adresses. Is there anyway to get a Shorewall-box to snag more then one IP-address, and then proxy-arp? I''m guessing that the answer is "No", but hey, you never know. Is there any other way that I could actually use my additional IP''s for my internal systems, and still use Shorewall for protection? Bridging? .
On Fri, 2004-11-26 at 09:53 +0100, Jan Johansson wrote:> > Bridging?That''s what I would do. Configure the bridge with a dynamic IP address and then simply run DHCP clients on the systems behind the firewall. You could set up a three-interface router/bridge in a manner similar to what is described on the bottom of the Shorewall Bridge documentation (http://shorewall.net/bridge.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-26 at 07:29 -0800, Tom Eastep wrote:> On Fri, 2004-11-26 at 09:53 +0100, Jan Johansson wrote: > > > > > Bridging? > > That''s what I would do. Configure the bridge with a dynamic IP address > and then simply run DHCP clients on the systems behind the firewall. You > could set up a three-interface router/bridge in a manner similar to what > is described on the bottom of the Shorewall Bridge documentation > (http://shorewall.net/bridge.html).There is one fly in this ointment (that''s a English colloquial expression meaning "there is one problem"): In order to access the local network from the DMZ, each DMZ host must have a route to the local network that is gatewayed through the router/firewall. DHCP clients generally have a way to execute commands after an IP address is assigned but the command to be executed isn''t static. Since the IP address of the bridge is dynamic, so is the gateway address. This will require some trickery (probably involving dynamic DNS). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-26 at 08:21 -0800, Tom Eastep wrote:> On Fri, 2004-11-26 at 07:29 -0800, Tom Eastep wrote:> > There is one fly in this ointment (that''s a English colloquial > expression meaning "there is one problem"): >And since I''m giving an English lesson today, that should have been "...*an* English colloquial expression...". As is always the case with my posts, you should "Read what I mean, not what I write" :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> There is one fly in this ointment (that''s a English colloquial > expression meaning "there is one problem"):..or as a friend put it "There''s one penguin in this popsicle..."> > In order to access the local network from the DMZ, each DMZ host must > have a route to the local network that is gatewayed through the > router/firewall.Well, this is my home network, so my DMZ is only used for access to internet. (I kinda use that interface whenever a friend says: "Hey, i think i have a virus on my system, can you clear it out for me?">Since the IP address of the bridge is dynamic, so is the gateway > address. This will require some trickery (probably involving dynamic > DNS).I was thinking about a Dynamic DNS, since i kinda like using hostnamnes for my internal boxes.
> And since I''m giving an English lesson today, that should have been > "...*an* English colloquial expression...".An american giving lessons in proper use of the English language? You don''t see THAT every day ;)> As is always the case with my posts, you should "Read what I mean, not > what I write" :-)A high scool teacher once told me "Do what I think and not what I tell you!" I spent the rest of that day at my desk with my arms crossed. He never got the message.....