Re: Need an advise about isolating a host in the DMZ

To: debian-security@lists.debian.org
Cc:
Subject: Re: Need an advise about isolating a host in the DMZ
From: Blars Blarson <blarson@blars.org>
Date: Wed, 18 Dec 2002 05:11:06 -0800
Message-id: <200212181311.gBIDB6nf004232@monkey.nat.blars.org>
In-reply-to: <1040204536.12811.100.camel@parker>

In article <1040204536.12811.100.camel@parker> haim@consonet.com writes:
>create a second DMZ, but that would cost me the lost of three ip's, so
>I'm trying to figure out ways to isolate him without putting it in
>another subnet.

There's no need to use extra IPs just to set up another subnet.  Just
use the same IP on multiple interfaces of your firewall, and with proxy
arp routing nothing but your firewall needs to know the details.  The
only thing I've found with broken assuptions about how IP works is DHCPD,
so your firewall will need a real IP for each segment it acts as a DHCP
server for.  The ip command is your freind, it allows much finer-grained
control than the commands it replaces.

I've got a /24 split haphazardly into six subnets.  The routing table
on the firewall is something like 50 entries just for that /24, but
none of the other systmes known the details -- they just arp and send.
(Even if I renumbered this beast, the routing table wouldn't be tiny,
there are over 200 hosts unevenly split between the segments.)

-- 
Blars Blarson			blarson@blars.org
				http://www.blars.org/blars.html
"Text is a way we cheat time." -- Patrick Nielsen Hayden

Reply to:

Follow-Ups:
- Re: Need an advise about isolating a host in the DMZ
  - From: Haim Ashkenazi <haim@consonet.com>

References:
- Need an advise about isolating a host in the DMZ
  - From: Haim Ashkenazi <haim@consonet.com>

Prev by Date: Re: FTP-SSL
Next by Date: Re: Need an advise about isolating a host in the DMZ
Previous by thread: Re: Need an advise about isolating a host in the DMZ
Next by thread: Re: Need an advise about isolating a host in the DMZ
Index(es):
- Date
- Thread