Re: Need an advise about isolating a host in the DMZ
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote:
> In article <1040204536.12811.100.camel@parker> firstname.lastname@example.org writes:
> >create a second DMZ, but that would cost me the lost of three ip's, so
> >I'm trying to figure out ways to isolate him without putting it in
> >another subnet.
> There's no need to use extra IPs just to set up another subnet. Just
> use the same IP on multiple interfaces of your firewall, and with proxy
> arp routing nothing but your firewall needs to know the details. The
> only thing I've found with broken assuptions about how IP works is DHCPD,
> so your firewall will need a real IP for each segment it acts as a DHCP
> server for. The ip command is your freind, it allows much finer-grained
> control than the commands it replaces.
Just to make sure I understand before I dive into the iprute howto, do
you mean I can give 2 interfaces on my firewall the same ip, one is
connected directly to that host, the other to a switch, and only have to
setup things in the firewall?
> I've got a /24 split haphazardly into six subnets. The routing table
> on the firewall is something like 50 entries just for that /24, but
> none of the other systmes known the details -- they just arp and send.
> (Even if I renumbered this beast, the routing table wouldn't be tiny,
> there are over 200 hosts unevenly split between the segments.)
> Blars Blarson email@example.com
> "Text is a way we cheat time." -- Patrick Nielsen Hayden
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com