At 09:37 06/07/00 +0930, Ben Nagy wrote:
>I'm not an IPChains guru by any stretch of the imagination, but...
Nor am I, I have to confess!
>I suspect the problem lies with the RedHat box not knowing to answer ARP
>queries for the IP address it's providing a NAT mapping for. You could check
>this with tcpdump - look for lots of arp requests for the public IP which
>aren't getting answered.
I don't think ARP is needed here. for externl hosts, there should be an
explicit route that
at sometime arrives on the firewall. then, the packets should be translated
by this FW.
So, none needs to know the MAC address corresponding to the second address.
ARP would only be needed in a situation like when the FW protects hosts
using addresses
that are in the same network as those of other hosts. But this should be a
rare situation.
Note that this is just an opinion, so I am ready to throw it away for no
money as soon as somebody
convinces me that it is unfounded.... ;-)
>An easy (if horribly ugly) way that springs to mind is to add the second IP
>address to the external NIC as a secondary.
I don't find this ugly at all. Since no (other) host is configured to have
this address,
I find it natural to confgure the FW external address with it. so, I'd vote
for this even when
"correct ARP" is not needed.
regards
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
