From: Bob Tellefson <bob@zooid.com>
To: netfilter@lists.netfilter.org
Cc: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
Subject: Re: networking newbie needs help
Date: Sun, 23 Jan 2005 20:28:53 +0000 [thread overview]
Message-ID: <200501232028.53215.bob@zooid.com> (raw)
In-Reply-To: <15505515.1106460382543.JavaMail.rct@kale>
On Sunday 23 January 2005 06:05, Kev askme wrote:
>
> Thanks for the "dummified" explanation. That is very
> clear and concise. :) So I just need my ISP to
> statically assign the public IP addresses to me and
> then add the addresses to my external interface using
> the ip command and then the external interface will
> answer for all ip addresses on the external interface?
> Or do I need to add aliases for each address, or is
> that essentially what the ip command is actually
> doing?
>
>
It is generally more useful to have a subnet assigned and routed to you by
your isp. The advantage here is that you may use these ip's on your dmz
without the need for DNAT. In this case, your firewall/router isp interface
acts as a gateway that you isp routes your subnet ip's through. ARP is not
involved other than to discover this gateway interface. You can route/filter
the subnet ip's as you see fit.
DNAT comes with side effects that you should consider before proceding. Have
a look at DNAT in in iptables faq
( http://www.faqs.org/docs/iptables/targets.html ) for an example of what
happens when you DNAT clients from the outside world versus how machines
within the DMZ (including the firewall) access the same services. This can
be a serious issue depending on what services reside on your DMZ and how they
interact.
If you don't get a routed subnet from you isp, consider using proxy arp rather
than DNAT. This effectively gives you the benefits of a routed subnet. See
http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/
DNAT has it's place, but it is a kludge (IMHO). I avoid it where possible.
--
Bob Tellefson
Java network application development & hosting
next parent reply other threads:[~2005-01-23 20:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <15505515.1106460382543.JavaMail.rct@kale>
2005-01-23 20:28 ` Bob Tellefson [this message]
2005-01-23 3:58 networking newbie needs help Kev askme
2005-01-23 4:12 ` John A. Sullivan III
2005-01-23 4:50 ` Kev askme
2005-01-23 5:31 ` John A. Sullivan III
2005-01-23 6:05 ` Kev askme
2005-01-23 12:10 ` John A. Sullivan III
2005-01-23 18:26 ` Kev askme
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200501232028.53215.bob@zooid.com \
--to=bob@zooid.com \
--cc=jsullivan@opensourcedevelopmentcorp.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.