On Sun, 2007-03-11 at 08:45 -0600, Hans Fugal wrote: > I never said DMZ. A DMZ is an extra complication no matter how you look > at it. I don't have extra firewall rules. The LAN is still limited to > the LAN side. The public IPs are still only one set of firewall rules. > The interaction between public and private is just as simple or > complicated as it was - whether it's a deny policy (as NAT would be) > with specific holes punched through, or an allow policy with specific > ports blocked.
Gotcha. Note that NAT doesn't imply any firewall policy at all. There's nothing intrinsically firewalling in nature about NAT. It's a simple address translation (two ways). In other words it is just a way of subnetting. The default would be whatever the FORWARD chain is set to. The firewalls are applied as normal across this bridge (the FORWARD chain). > > BTW, I didn't end up using any proxy arp at all. It's all routing, and > it's not at all complicated; it's 4 static routes. The cisco is broken > for icmp from the lan, but it doesn't make a practical difference. Yes. Given that you aren't implementing a DMZ, this is simplest. Are you still giving each server two IP addresses? How is the routing dealing with that? Does it require any special configuration of the servers themselves? Michael > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
