> let's say we have a public network (192.168.7.0/24) and a private network
> (192.168.7.0/24) (that's not a typo) and a gateway (Moo) between the
> networks with eth0 being on the 192.168.7.0/25 network (connected to
> the public network) and eth1 192.168.7.128/25 network (connected to the
> private network).
>> so GoodClient can see Moo since its host address is below 128. BadClient
> cannot since its host address is above 128. And the private network is
> populated with GoodServers with host addresses above 128.
>> and packets can't get across because there's no route between the public
> and private interfaces.
>> i am of the opinion that no packet can come in on the public interface
> and either get received by the private address or go out on the private
> network. paul disagrees.
If a machine on one side tries to send to a machine on the other
side, it will look at the IP address, see that it's the same subnet
and then do an ARP. Nothing will respond to that ARP, and the IP
layer will eventually return Destination Host Unreachable.
On the other hand, you could configure Moo to proxy ARP. It will
then respond to the ARP request and (if forwarding it enabled)
act as a router.
That's the "operational" point of view. The "security" point
of view is different: Badclient can add entries to its own
ARP table saying that Goodclient's ethernet address is the
address of Moo. Then Moo will route for it, if forwarding
is enabled.
Later,
Kenn
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
