At 10:33 08/12/00 +1030, Ben Nagy wrote:
>[snip]
>Set up ther external NIC on the firewall to own that whole 199.199.199.208
>subnet, and then create your internal and DMZ networks with private
>addresses. NAT in two pools - one pool for internal clients to use and one
>for DMZ hosts to use. Have static NAT mappings on the outside of the
>firewall for the DMZ hosts. Since both mail and web servers deal well with
>NAT you should be fine from a functionality point of view and you'll
>actually buy a bit more security as a bonus.
Isn't it possible to change the router routes using some routing
protocol, to tell it to send packets destined to the public addresses to the
external FW interface?
He could also just configures arp requests to be answered by the external NIC
(for example, by setting static arp enrties by a script). no?
That said, I prefer the NAT approach, as subnetting networks when you don't
have a huge range is always a headach!
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
