Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall configuration questions.

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 28 Apr 2000 16:45:11 -0400 (EDT)
On Thu, 27 Apr 2000, daN. wrote:


This is the problem as I see it:
           1                                                 2
<some real IP's>----<Firewall>---<some more real IP's>-----<Gateway>

where Gateway does not know that Firewall exists and expects all Real IP's 
to be directly behind it and Both sets of real IPs belong to the same class C.

so lets same we want to split the subnet in half so we have the upper half 
in part one and the lower half in part 2 or whatever..you still have the 
problem of how to tell the gateway to use the firewall as a gateway to the 
IPs behind it.  This is what the Proxy Arping does...Course I might totally 
be misreading the problem  as well :)..


I see what you are saying here, but, still would this not be more akin to:

           1                                                 2

                    <Firewall>
                        |                                      |
<some real IP's>------------------<some more real IP's>-----<Gateway>--
                                                               |

meaning that the firewall in question, is a single interface
bastion, splitting and/or controlling access on a single subnet?
Unless an actual subnetting is taking place, there is only one
interface in the firewall attached to the single subnet in question,
yes?  This might be what you also ment, I'm just making sure I've
interpreted correctly.

Thanks,

Ron DuFresne






daN.

At 04:03 PM 4/27/00 -0400, R. DuFresne wrote:

Organization: sysinfo.com
X-Subliminal: If at first you don't suck seed...


Are you sure this is the direction of the question?  I may have
misinterpreted it, but, I got the impression that he was asking if one can
avoid NAT and do just real IP's behind the firewall.  Now I might also be
misreading you, but, is not your answer suited to a one to one NAT
remapping of public addresses before going insideout through the firewall?
Or am I misreading this whole thread?

Thanks,

Ron DuFresne






-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!
Previous By Date Next
Previous By Thread Next

Current thread: