Dave Wreski wrote:
> > What's the practical difference between proxy-arp and plain old
> > IP aliasing?
>
> They are totally different. IP aliasing is binding two or more IP
> addresses to a single interface. Proxyarp is when a server answers
> requests for communications with your machine for you. Typically this is
> used with PPP servers, since the clients won't have a MAC address.
Okay, I did remember the 'proxyarp' option from when I set up my ppp box, but
the stuff I read at the ProxyArp Howto (&related web site) was making me think
that this might be something different, or the same thing in a drastically
different context.
>
>
> > it seems like proxy-arp and ip aliasing will both allow me to get the
> > bastion box answering on two or more IP addresses, but since this
> > machine is security-sensitive I don't want to blindly choose one or the
> > other.
>
> If you draw out a diagram it would be more clear.
Oh dear. Okay, here goes:
[ --internet--]
|
[DMZ -- web server, ftp server, public dns, outer spigot of bastion server,
nothing else.]
|
[Inner, 'protected' net -- inner spigot of bastion server, pop3 server,
individual workstations, etc.]
A note or two on the bastion server: It's a masquerading packet filter,
running almost nothing except for qmail configured to forward everything to
the inside pop3 server. So the basic masquing from the kernel is already set
up, but right now there are no inet.d services or proxies available to the
outside world from that box, and the outer interface only has one IP address.
> You can masquerade two
> or more IP addresses with simple aliases. It sounds like a good routing
> configuration will help your data find its way.
That seems reasonable; the idea I had originally was to set up a second
(aliased?) IP address on the outer interface of the bastion host, and
magically have that interface appear to the outside world as our pop3 server,
but only for requests to the smtp port. But when I first tried to set this up
I couldn't get aliasing to work (I've since found better info, proabably from
this list), so single-IP masquing with only outward-bound connections ended up
being the compromise of the hour.
So what I'm still unclear on is the magically-piping-pop part. Can that be
done with just an exotic routing scheme, or do I really need some mitigating
process (proxy) handling the transactions? Or are those the same thing?
I'm gonna go read the proxyarp howto again. If this made sense to anyone and
if I've hopelessly confused myself, please mail me a line.
m
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
