[ previous ] [ next ] [ threads ]
 From:  Bart Smit <bit at signature dot nl>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple WAN ip addresses
 Date:  Wed, 25 Jun 2003 20:41:18 +0200 (CEST)
On Tue, 24 Jun 2003, Fred Wright wrote:

> I like to regard Proxy ARP as a last resort, since it lies about the
> topology

Part of a firewall's task is to conceal what's behind it. So in this
particular case the topology should be nobody's business anyway ;-)

> A cleaner way to do this would be to have the ISP know that the
> secondary IPs are reachable via the primary IP, either via static
> configuration or via routing protocols, but they may not support that.

Yep, that's how you would do it if you have good control of the WAN side
of things. But in cases whare you haven't, and to keep things simple, I
think it is very reasonable to let m0n0wall pretend to "be"  (arp-wise)
the servers it shelters in its DMZ.