|
||||||||||
On Tue, 24 Jun 2003, Fred Wright wrote: > I like to regard Proxy ARP as a last resort, since it lies about the > topology Part of a firewall's task is to conceal what's behind it. So in this particular case the topology should be nobody's business anyway ;-) > A cleaner way to do this would be to have the ISP know that the > secondary IPs are reachable via the primary IP, either via static > configuration or via routing protocols, but they may not support that. Yep, that's how you would do it if you have good control of the WAN side of things. But in cases whare you haven't, and to keep things simple, I think it is very reasonable to let m0n0wall pretend to "be" (arp-wise) the servers it shelters in its DMZ. --B |