At 09:46 25/10/00 +0930, Ben Nagy wrote:
>Not so hasty - I think he's got a solution there.
>
>If he's saying what I think he's saying then it can work:
>
>On the WWW box, have two NICs. NIC one is connected to FW1 and ISP1, NIC2 to
>FW2, ISP2. As long as each NIC has a _different_ default gateway it will
>work fine. You just have a NAT mapping at each ISP for the internal address
>of NIC1 and NIC2 respectively. Oh, and don't enable IP forwarding.
>
>This means that traffic from ISP1 comes in via NIC1. The response goes OUT
>via NIC1 and therefore uses ISP1 as the gateway.
I disagree here. why would responses go through the same NIC? the outgoing NIC
is determined on the basis of the destination address, not of the source
address.
Let's look at it:
The webserver has received a request from 1.2.3.4 to one of its IP
addresses IP1 or IP2.
now it needs to send a response, that is a packet from IP1 or IP2 to 1.2.3.4.
To this end, the stack determine the outgoing interface and the next hop.
As far as I know, the latter are determined using the destination address
of the packet,
that is 1.2.3.4 in our case. the source address (IP?) is not used to
determine the NIC nor
the route.
just an example: assume you have a firewall with an external interface and
an internaal interface.
suppose the external address is 9.8.7.6 and the internal is 10.0.0.1. now,
from the internal network,
ping the external address. then you get a response from the firewall, with
the source address set to 9.8.7.6,
but the outgoing interface is the internal one.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
