Charles Steinkuehler wrote:
One question: When you're running with just a private address for the DMZ if, how does masqueraded traffic from an internal net show up on the DMZ? It seems like it would have the private IP of the firewall. Is that the case?
If you chose to masquerade it, yes. I don't masquerade loc->dmz traffic so the traffic just shows up with the sending host's IP address. If you wanted that traffic to show up with the firewall's external IP as the source address, you could add this to /etc/shorewall/masq:
<dmz-interface> <local net> <external IP address>
I would have thought that would cause problems (particularly if all systems are paranoid about route filtering, martian packets, etc), but it sounds like it worked OK. Thinking about it, I guess you'd probably be all right as long as the firewall system was always in the default route path for the DMZ machines, and the kernel's proxy-arp handling stays the same...
That's the key point. So long as the firewall answers ARP requests from the DMZ for the DMZ systems' default gateway, everything works.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
