[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need an advise about isolating a host in the DMZ

In article <1040204536.12811.100.camel@parker> haim@consonet.com writes:
>create a second DMZ, but that would cost me the lost of three ip's, so
>I'm trying to figure out ways to isolate him without putting it in
>another subnet.

There's no need to use extra IPs just to set up another subnet.  Just
use the same IP on multiple interfaces of your firewall, and with proxy
arp routing nothing but your firewall needs to know the details.  The
only thing I've found with broken assuptions about how IP works is DHCPD,
so your firewall will need a real IP for each segment it acts as a DHCP
server for.  The ip command is your freind, it allows much finer-grained
control than the commands it replaces.

I've got a /24 split haphazardly into six subnets.  The routing table
on the firewall is something like 50 entries just for that /24, but
none of the other systmes known the details -- they just arp and send.
(Even if I renumbered this beast, the routing table wouldn't be tiny,
there are over 200 hosts unevenly split between the segments.)

Blars Blarson			blarson@blars.org
"Text is a way we cheat time." -- Patrick Nielsen Hayden

Reply to: