Re: Need an advise about isolating a host in the DMZ
On Wed, 2002-12-18 at 15:11, Blars Blarson wrote:
> In article <1040204536.12811.100.camel@parker> haim@consonet.com writes:
> >create a second DMZ, but that would cost me the lost of three ip's, so
> >I'm trying to figure out ways to isolate him without putting it in
> >another subnet.
>
> There's no need to use extra IPs just to set up another subnet. Just
> use the same IP on multiple interfaces of your firewall, and with proxy
> arp routing nothing but your firewall needs to know the details. The
> only thing I've found with broken assuptions about how IP works is DHCPD,
> so your firewall will need a real IP for each segment it acts as a DHCP
> server for. The ip command is your freind, it allows much finer-grained
> control than the commands it replaces.
Just to make sure I understand before I dive into the iprute howto, do
you mean I can give 2 interfaces on my firewall the same ip, one is
connected directly to that host, the other to a switch, and only have to
setup things in the firewall?
>
> I've got a /24 split haphazardly into six subnets. The routing table
> on the firewall is something like 50 entries just for that /24, but
> none of the other systmes known the details -- they just arp and send.
> (Even if I renumbered this beast, the routing table wouldn't be tiny,
> there are over 200 hosts unevenly split between the segments.)
>
> --
> Blars Blarson blarson@blars.org
> http://www.blars.org/blars.html
> "Text is a way we cheat time." -- Patrick Nielsen Hayden
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
thanx
--
Haim
Reply to: