On Fri, Jun 20, 2003 at 10:17:21AM -0400, Ian C. Blenke wrote:
> On Friday 20 June 2003 05:56, btt@nethouse.com wrote:
> > The reason the whole bridge thing came up is because the default
> > gateway for the public network is ISP-provided and is a node on
> > the public network. So I didn't see any way to put any type of
> > regular firewall between our public servers and the ISP's
> > gateway. I figured a bridge would be the way to go (?). Plus,
> > since the public network is switched, tcpdump is useless for
> > unicast traffic analysis, but with the bridge in place, tcpdump on
> > br0 picks up everything.
>
> Why not statically NAT? Renumber the "public network" machines to a
> private network range, setup aliased interfaces on the firewall for
> the old public IP addresses, and add an iptables DNAT/SNAT rule for
> each mapping.
Hmm, that's pretty interesting. I don't think we'll do that, but I
would have never thought of it and it seems reasonable. Thanks.
One drawback to this whole setup (either the nat or bridge), compared
to the unfirewalled setup is that there is now another single point of
failure for the entire public network. If the entire firewall machine,
or even one of the bridge nics fail, the entire public network is
down. Unfirewalled, it would not be the case. But that is neither here
nor there, I guess... as the advantages of having a good firewall in
place outweigh the potential for hardware failure.
Thanks again,
Bill
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:11:08 EDT