On 2008/03/07 12:38, Almir Karic wrote: > On Thu, Mar 6, 2008 at 1:39 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > > > On 2008-03-05, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > > On 2008-03-05, Jussi Peltola <[EMAIL PROTECTED]> wrote: > > >> On Wed, Mar 05, 2008 at 11:28:16AM +0000, Stuart Henderson wrote: > > >>> There are ways, but they're hacks, and harder to get right than NAT or > > >>> asking for another address. (And if you're already using NAT, you'll be > > >>> renumbering the end hosts anyway, so moving block shouldn't be all that > > >>> painful). > > >> > > >> Couldn't you bridge the DMZ? Not as simple, but not a hack either. > > > > > > Ah, how could I forget about that! (probably repressed from trying > > > to combine it with rdr before and getting very confused :-) > > > > Oh, hang on. But then the IP address you were giving the firewall has > > to be given to the router instead, so this doesn't gain you anything. > > > > > > hmmmmm, maybe i misunderstanding the concept of a bridge, but from > what i read you can assign an IP to $ext_if, and bridge (and filter > off course) the $dmz_if to $ext_if ? where is the extra IP wasted?
Because you still need to use one of the public addresses as a gateway for the other machines. If you bridge it goes on the router, if you route it goes on the firewall. (since you say you are NATting for another subnet, you obviously already need to have a public address on the firewall to NAT to).
