[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Public IP's?

Giacomo Mulas wrote:

> Another solution for even more complete transparency is to use a
> firewalling bridge, see http://bridge.sourceforge.net for more resources
> on that. The latter solution is probably the best, as it even allows to
> set up two identical machines side by side, and they will automagically
> agree that one actually does bridging while the other sits in standby,
> ready to take over with virtually no downtime should the first one fail
> (hardware problems hurt...). But this extra flexibility comes at a cost:
> you have to patch the kernel, learn to use some more user space tools to
> handle the bridging part, probably use both iptables and ebtables (you
> find patches and user space tools at the URL above), the former to handle
> IP, the latter to handle firewalling of network protocols other than IP.
>
> The (simpler) working solution I have here is just based on
> proxy-arp+iptables.

You can do all of this very simply with 2 gate, vrrpd and a little script (to
activate proxy-arp on the spare box)

> > I would probably have a dhcp server setup to assign the
> > workstaions their IP's and set their gateway to that of
> > the Debian's eth1. (x.x.x.252)
>
> which means that you can easily handle the configuration of the clients
> and don't need proxy-arp.

You'll need it on the side of the cisco.


Wacquiez Sébastien



-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: