> It just so happens I've got a lot of relevant Check Point experience here
> :-)
>
> First thing you should do is think about your goals -- SOHO use
> and large-scale corporate use present different needs. The DMZ is a
> lare-scale corporate item (e.g. I'm getting paid so I might as well spend
> as much time as it takes to get this figured out).
>
> The typical corporate firewall looks like this:
> x.x.x.x
> |
> firewall - 192.168.x.x dmz
> |
> 172.x.x.x
> The firewall is a stateful inspection engine with no support for proxy
> arp, so one to one NATs are done for each DMZ server and a one to many NAT
> is done for the inside network. Brand names don't matter -- this is what
> Check Point, Cisco, Gauntlet, &c will implement.
>
> For home use I don't see a lot of use for a DMZ. However, if you must have
> one proxy arp should be avoided unless you don't have enough IP addresses
> to do what you want to do.
Ouch! Proxy-arp is my favorite way to setup a DMZ. I only use static-NAT
because the current FreeS/WAN IPSec code goes wacky if you've got two
interfaces configured with the same IP, and I don't have an IP to spare
(assign external and DMZ LRP interfaces with seperate IP's). Where I can
spare the extra IP (and need to run IPSec) I use proxy-arp. It's much
easier to follow/create/verify the firewall rules...
Many more comments on the firewall stuff from David (hopefully later today),
but right now I've got to run...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
