[This is a setup I have configured, but which hasn't been deployed]
You have been offered an Internet connection delivered on UTP.
You have been assigned a network 192.168.42.0/24, and the address of
the default gateway is 192.168.42.1. The configuration of the gateway
is non-negotiable.
You wish to install a firewall to protect your machines. This is
physically inserted between the gateway and the local machines as
shown below.
------ --------
| gw |____eth1| fw |eth0____ .2 to .253
| .1 | | .254 |
------ --------
I configure the firewall with the same IP address on both interfaces.
I have a host route to the default gateway through eth1, and the network
route through eth0 (BTW, I think this may be another example of where
the automatically added route of 2.2 becomes a problem).
Using subnet proxyarp, I can make all of the local machines appear visible
to the default gateway, without modifying the gateway. Without this,
I need to add a proxyarp entry for each of the many possible hosts.
I can also use this setup to retroactively install a firewall into an
existing network, without requiring wholesale reconfiguration (and the
protected network can either consist of the entire network, or small
subnets).
The configuration above also prevents wasting address space. If I have
been assigned a block of addresses, I will typically need to have an
`inside' and `outside'. The outside segment is going to consume IP
addresses when I subnet it to partition the network. This isn't much
on a /24, but you might begrudge it on a /29.
-- `O O' | Home: Nick.Holloway@alfie.demon.co.uk http://www.alfie.demon.co.uk/ // ^ \\ | Work: Nick.Holloway@parallax.co.uk- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/