[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2 not routing when both nics on same subnet



Proper subnetting and a correctly configured DNS is really the answer here.
Yes you can use proxy arp, but I would suggest that if this user is having
trouble with the simple set up he has and has not noticed that the ip
addresses are set up incorrectly then is suspect there would be further
trouble setting up proxy arp.

Simply set up a rfc 1918 address range (192.168.1.* ) and mask it or use a
second one on the other nic. This is not only best practice it is far
simpler to configure for a new user.

Also consider using the yast config for the firewall. This is simple enough
for the settings he needs

Brett Stevens


On 25/5/04 23:18, "Thomas Seliger" <CRJLJAKTJORB@xxxxxxxxxxxxx> wrote:

> Hi,
> 
> I use a similar setup at work to split a range of 64 ip adresses into
> multiple demilitarized zones. I did not choose to use subnetting, as i
> wanted to move hosts easily between DMZs without changing their
> IP-Address.  The setting you want is possible if you use a technique
> called "proxy arp".
> 
> I also suggest you use the shoreline firewall script to setup your
> firewalling and routing, instead of the SuSEfirewall script. It is easy
> to setup, even for complex settings (i dont want to start a flamewar,
> but shorewall is much more suited for complicated settings than
> SuSEfirewall IMHO). You can configure proxy arp very easily there.
> 
> Get shorewalll and shorewall tutorial from
> 
>    http://www.shorewall.net/
> 
> In any case, i suggest you read the following about proxy arp:
> 
>    http://www.sjdjweis.com/linux/proxyarp/
>    http://lartc.org/howto/lartc.bridging.proxy-arp.html
> 
> The second has an example, it should be easy to customize it to your needs.
> 
> peace,
> Tom
> 
> 
> David Livingston wrote:
> 
>> Internet
>>    |
>>    |
>>   eth0 (1.1.1.1)
>>    |
>>    FireWall---eth1 (1.1.1.2)
>>         |
>>         |
>>         Webserver (1.1.1.3)



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here