On Wed, Jun 12, 2002 at 02:45:30AM -0400, Jefferson Ogata wrote: > The FTP proxy doesn't theoretically require an IP address. It just sits inline > and adds rules as it observes PORT commands. It may not work, but there's no > reason it couldn't work theoretically in a bridge configuration. > > There's no real reason NAT couldn't serve a limited function in a bridge > configuration as well. Just because an address gets translated doesn't mean > that the resulting address must reside on the firewall. It just needs to have > arp in place so it gets routed back. Again, I'm talking theory here, not practice.
I think this is all just a matter of semantics. In fact, NAT and proxies do require an IP address. They just don't require it to be assigned to an interface on the firewall. But if you're going to add an arp entry pointing it at the firewall anyway, then for the purposes of NAT and proxy the firewall does have an IP. It just doesn't respond directly to it. But this is all just splitting hairs. -c
