You forget one thing: there are 10 other machines (addresses 3 to 13) that need not to be firewalled, and must be accessible from ANY pother ost either internally and externally, without passing the FW. The second group really is not a problem, since are just virtual addresses for a machine in the first group, that self-firewall ! However user in the third, internal group should access these machines direclty. About proxy-arping 230 machines: what commands would you suggest for dcoing that , the way i used for a small group did havoc on some network monitoring tools !
Il 26 Sep 2003 alle 9:25 Fraser Campbell immise in rete > On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote: > > > I have a /24 subnet. > > .1 is the gateway and almost all IP from 2 to 254 are occupied. > > I would like to split the host in three groups: > > 12 that can have full access, 12 thought one firewall and the other 205 > > throught a second firewall. > > I cannot chanmge the number of some machines, so the only option is > > that the first 12 and the two firewalls are .2 to .14 > > the second group is .18 to .29 and the third vould keep is present > > numbers between .36 and .254. > > Why not have a single firewall? If you want to have two firewalls make an HA > cluster out of them. If you are interested in physically separating the > subnets then I would just put extra interfaces on the firewall (basically > multiple DMZs). > > - assume subnet is 1.1.1.0/24 > - all machines behind firewall get 1.1.1.0/24 subnet > - firewall gets 1.1.1.2/24 assigned to it's external interface (side facing > router) > - firewall does proxy arp for all IPs in the subnet on it's external interface > - if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface > and then machines shouldn't even have to change their gateway > - firewall rules are written as you require. Even though the subnet > 1.1.1.0/28 doesn't really exist you can write your firewall rules in that > way -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
