Hi!
No You are right, the ARP does NOT take You ALL the way. It shouldn't.
"don't seem to help me to see (with pings) DMZ hosts to no DMZ. My NICs
configuration are the following:"
***Should not work just because You set up proxy arp.
Something like this DOES work:
ROUTER
!
!eth0
firewall ---------DMZ
! eth1
!
!eth2
!
Local net
Let's say:
Router: x.x.1.1
eth0: x.x.1.2
eth1: x.x.1.3
eth2: 192.168.1.254
Same netmask for all.
First step:
a) Proxy arp on FIREWALL:
arp -s x.x.1.1 MAC_address_of_eth0 pub
arp -s x.x.1.2 MAC_address_of_eth0 pub
arp -s x.x.1.3 MAC_address_of_eth0 pub
arp -s x.x.1.4 MAC_address_of_eth0 pub
b) Set up routes and gateways where needed.
Local net should have Gateway 192.168.1.254
c) Using IPCHAINS You now set up ip auto forwarding between appropriate
interfaces
and MASQUERADING where needed. For instance for access from Local net to
Internet and DMZ.
d) NOW You can start restricting access by implementing ipchains rules.
I repeat that I think You should go for newer distribution/packages.
If You look at the 3NIC example in Rustys IPCHAINS Howto - It is correct with
one reservation in your case :
you have to have the proxy arp as I describe above.
HTH
//OLAS
Guillermo G�mez Valc�rcel wrote:
> Thanks Ola for your reply but i think this not fill our requerements.
>
> We have 2 NICs over firewall and a router on same subnet. To begin i want to
> be accesible DMZ and noDMZ host from both sides and implement the rules to
> limit that access later. Can i to implement this with arp?. Must i to divide
> my subnet in two and implement IP forward?.
>
> I have probe the Ola Samuelson suggest although this is no valid for me
> because i want that all the host can see between them. In any case the
> commands:
>
> arp -s x.x.x.3 MAC_address_of_NIC_at_x.x.53.4 pub
> arp -s x.x.x.4 MAC_address_of_NIC_at_x.x.53.4 pub
>
> don't seem to help me to see (with pings) DMZ hosts to no DMZ. My NICs
> configuration are the following:
>
> Network 0 (ifcfg-eth0) (external):
> DEVICE=eth0
> BOOTPROTO=static
> IPADDR=x.x.x.3
> NETMASK=255.255.255.0
> NETWORK=x.x.x.0
> BROADCAST=x.x.x.255
> GATEWAY=x.x.x.1
> ONBOOT=yes
>
> Network 1 (ifcfg-eth1) (internal LAN):
> DEVICE=eth1
> BOOTPROTO=static
> IPADDR=x.x.x.4
> NETMASK=255.255.255.0
> NETWORK=x.x.x.0
> BROADCAST=x.x.x.255
> ONBOOT=yes
>
> and the arp -an after commands:
>
> ? (x.x.x.3) at * PERM PUP on eth1
> ? (x.x.x.4) at * PERM PUP on eth1
>
> Thanks for your time.
> Guillermo.
>
> ----- Original Message -----
> From: Ola Samuelson <[EMAIL PROTECTED]>
> To: Guillermo G�mez Valc�rcel <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Wednesday, August 23, 2000 11:34 AM
> Subject: Re: Firewalling with 2 NIC�s over a public class C network
>
> > Hi!
> > If this is want You want to do, some ideas .....
> >
> > Did this once before.
> > FW with 3 nics and a router.
> > 2 NICs and router on same subnet.
> > Proxy arp makes it work.
> >
> > Proxy arp is needed if they are on the same logical net but different
> NICs.
> > You may use the exactly same netmask and such for all nets.
> >
> > Something like this(not sure off hand) on the firewall machine:
> > arp -s x.x.53.2 MAC_address_of_NIC_at_x.x.53.3 pub
> > arp -s x.x.53.3 MAC_address_of_NIC_at_x.x.53.3 pub
> >
> > This solves following:
> > * Coming in on external IF and finding DMZ IF(net) via the MAC-address of
> the
> > External IF.
> >
> > Does not solve follwing:
> > * Forwarding, routing etc BUT now it CAN work
> >
> > Hint:
> > * I would use newer/other dist than 5.1 or reinstall new kernel/packages.
> For
> > security reasons,
> > new features, ease of administration and stability. All of these are
> important
> > if You want to build a firewall.
> >
> > Hope I remember all this correctly..... :-)
> >
> >
> > HTH
> > file://OLAS
> >
> >
> >
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
