> I'm still confused. > > Why do you need to succed in getting a DHCP address for _both_ interfaces? > Wouldn't it be OK if jsut the one that hapened to face the DHCP server came > up? This would still give you remote access.
I can get away with DHCP on one side only, but having actually tried this (at length) it looks like the 'real' address has to be on the same side as the target server in order to make the NAT work when faking the source address of the client. I.e. it is determined by the client/server relationship and which interfaces the client and the server talk to me via. Unfortunately the interface which gets the address from DHCP can be on *either* the client *or* the server side. This is because a filtering appliance like this can either be placed at the edge of your network (in which case the DHCP server is on the inside, same interface as your target server, in my case a mail server) - or it can be placed immediately in front of that server only, in which case the DHCP server will be on the *outside*, same interface as the clients. Therefore to allow for either of these deployments, its safer if I just get a DHCP address for both sides, from whichever side the DHCP server happens to be on. So... if the specific deployment happens to have the DHCP server on the same interface as the target server whose traffic is being filtered, then what you suggest above will work OK. But if they're on different interfaces, it won't. I've tried it. One administrative solution would be to tell people to only place the filter on the edge, with the DHCP always inside. However my own experience here with our own computer center is that they're pretty reluctant to run all the campus traffic through one device just to add some mail functionality. Whereas placing it in front of the mailer is not such a big deal. (Also cheaper in terms of supporting the bandwidth - campus edge: 45Mbit - mailer: 1 Mbit) I really wonder how these transparent commercial anti-spam appliances do it. If you think it is tough under OpenBSD/pf, it's next to impossible under Linux. What trick have they worked out thay I'm missing? Or are they just not as transparent/config free as I am assuming they need to be? Graham
