Nathan Davis wrote:
>After thinking about this for awhile, I was wonding if I really need to
>use two *real* ip addresses on the firewall machine. Or even if there's
>a way to set up a default route to an interface with no ip address
>assigned. Another option might be to have the cisco (and possibly the
>firewall too) obtain an ip address via dhcp (I don't know how the other
>end might take this, though), or assign the interface connecting the
>firewall to the Cisco a "fake" address.
>
If you want an interface w/ no IP I'd suggest getting the Linux bridging
stuff.
The idea would be to have 3 NIC's actually. One external (Router -> FW
NIC), One for internal NAT'd addresses (any traffic can be forwarded
through the firewall to internal hosts), the other would be a bridged
interface to a DMZ (allows you to filter ports but doesn't need an IP).
There are other ways to set this up also but this is the only way I
can think of at the moment to get a firewall without using one of your
addresses. Unless of course you just forward all your traffic through
the firewall. If you want a dedicated address for a specific server
instead of all your DNS entries going ot the firewall, the firewall can
be multi-homed (multiple addresses/NIC).
I could probably think of a few more ways to get it done but couldn't
tell you the "best" way without a bit more info.
sim