I'm leasing a block of 16 IP addresses in order to service a DNS server, 2 mail servers and a number of e-commerce sites, each of which needs its own IP address for the security certificate. I ran a small group of servers on a single IP before to service a hobby, but the software firewall on the Linux distro was adequate for that. With the new setup, I need a dedicated system, but I'm a little out of my depth.
The hardware I have available is a 75 mHz Pentium I with 64 MB of memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and a 4.3 MB SCSI hard drive. If I don't need the hard drive in the firewall system then I'd rather pull the card out to use it for some devices on the network. It would also improve my comfort level on the firewall system.
I'd rather have the internal network obscured from the Internet, but the whole point of the leased addresses is to sure that security certificates for the websites and reverse pointers for the mail servers work properly. Is Proxy-ARP the best solution for this? I think I recall one firewall distro dropping Proxy-ARP support for security reasons; What validity is there to that issue?
With 16 external addresses to route, is proxy-ARP a better solution than SNAT? Which Linux or BSD based firewall distros provide the necessary functionality? Are any of them significantly more transparent in their controls than the others? I'm not looking for a plug and play configuration, but something that lets me see what is going on and make any changes without having some script reverse them out when I reboot 3 months from now.
One wrinkle... At least at the beginning there won't be a physical interface for each of the inbound IP Addresses. For example, the mail server may be on eth0, but several websites will be on virtual interfaces in the network. Am I asking for trouble interjecting IP Masquerading into this or is there any simpler way to implement this (without buying more hardware right away)?
Thank you for your assistance, Chris