> - Use NAT and burn up CPU & memory on the firewall
> - Divide the IP address space in two or more subnets and lose some IP
> addresses as network & broadcast addresses
>
I generally advise against NAT where it can be avoided, since it potentially
introduces problems. NATs and stateful filters in general violate some of
the principles of TCP/IP (there are no UDP 'sessions', for instance) and
therefore aren't always a drop-in solution. They can and do work well in
many 'standard' architectures, but my reasoning goes something like, "why
use it when you don't need it?"
I'd just ask your ISP for another subnet between their router and your's. It
can even be RFC1918, if your ISP uses those, since their router will be the
only one capable of routing to you. That may confuse some people using
traceroute towards your network, but I don't think you should care about
that. :-)
> I know this setup has overlapping subnets, but I was hoping that, once the
> Linux box received a packet on eth2 to route from Subnet 2 to Subnet 1 (or
> to the internet), it would route it to/over Subnet 1.
>
> Unfortionatly it never did. I may have made an error, so I will recheck
> things later on, but I wanted to get you guys' opinion about this.
>
The Linux box probably did route correctly, but the machines in the larger
subnet didn't know to pass packets for the smaller subnet to the Linux box.
You need to create a routing table entry pointing at the Linux box for the
smaller subnet. Your ISP's router will also need to know that you've split
up your network asymmetrically.. unless you perform NAT (and proxy-arp, too,
I think, or your Linux box won't advertise itself as the destination for the
machines in the DMZ).
Cheers,
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
