Lars Erik Dangvard Jensen
2008-Dec-30 23:28 UTC
Proxy ARP''ing and NAT''ing on the same NICs
Hello list eth0 is the public interface and eth1 is supposed to be connected to a private lan using proxy arp and nat. Is it possible to use eth1 with both proxy arp and nat, or will this cause problems? I have proxy arp and nat working on another shorewall, but that''s with 4 interfaces (separate proxy arp and nat interfaces). Thanks. Lars ------------------------------------------------------------------------------
Lars Erik Dangvard Jensen wrote:> Hello list > > eth0 is the public interface and eth1 is supposed to be connected to a > private lan using proxy arp and nat. > > Is it possible to use eth1 with both proxy arp and nat, or will this > cause problems? > > I have proxy arp and nat working on another shorewall, but that''s with 4 > interfaces (separate proxy arp and nat interfaces).Should work fine. ------------------------------------------------------------------------------
Lars Erik Dangvard Jensen
2008-Dec-31 12:52 UTC
Re: Proxy ARP''ing and NAT''ing on the same NICs
Shorewall Guy skrev:> Lars Erik Dangvard Jensen wrote: >> Hello list >> >> eth0 is the public interface and eth1 is supposed to be connected to a >> private lan using proxy arp and nat. >> >> Is it possible to use eth1 with both proxy arp and nat, or will this >> cause problems? >> >> I have proxy arp and nat working on another shorewall, but that''s with 4 >> interfaces (separate proxy arp and nat interfaces). > > Should work fine.Ok, the zones dmz1 (NAT) and dmz2 (Proxy ARP) obviously can''t be on the same interface unless using parallel or nested zones. Can a the proxy arp zone be a nested zone of the nat zone? Or do I have to use parallel zones? Thanks. /Lars ------------------------------------------------------------------------------
Lars Erik Dangvard Jensen wrote:> Shorewall Guy skrev: >> Lars Erik Dangvard Jensen wrote: >>> Hello list >>> >>> eth0 is the public interface and eth1 is supposed to be connected to a >>> private lan using proxy arp and nat. >>> >>> Is it possible to use eth1 with both proxy arp and nat, or will this >>> cause problems? >>> >>> I have proxy arp and nat working on another shorewall, but that''s with 4 >>> interfaces (separate proxy arp and nat interfaces). >> Should work fine. > > Ok, the zones dmz1 (NAT) and dmz2 (Proxy ARP) obviously can''t be on the > same interface unless using parallel or nested zones. > > Can a the proxy arp zone be a nested zone of the nat zone? Or do I have > to use parallel zones?Proxy arp is a way to trick L2 into sending packets to the router; NAT rewrites IP addresses in the IP header. These are IP-related features that have nothing to do with security. Zones are security objects. So there is no reason to have separate security zones for the two classes of servers. They would be useless anyway since once a server is successfully rooted, the attacker has full access to the other servers on the LAN segment without going through the firewall. I will warn you that what you are trying to do can be a real PITA to get working if the NAT servers need to communicate with the Proxy ARPed servers or vice versa. In each server, you will need to configure direct routes to the servers of the other type. Split DNS is a must. ------------------------------------------------------------------------------
Lars Erik Dangvard Jensen
2009-Jan-01 20:18 UTC
Re: Proxy ARP''ing and NAT''ing on the same NICs
Shorewall Guy skrev:> Zones are security objects. So there is no reason to have separate > security zones for the two classes of servers. They would be useless > anyway since once a server is successfully rooted, the attacker has full > access to the other servers on the LAN segment without going through the > firewall. > > I will warn you that what you are trying to do can be a real PITA to get > working if the NAT servers need to communicate with the Proxy ARPed > servers or vice versa. In each server, you will need to configure direct > routes to the servers of the other type. Split DNS is a must.No problem using one zone, I just normally separate subnets/nics in different zones so had to adjust this :) Thanks. /Lars ------------------------------------------------------------------------------