Re: DMZ

To: Ray Olszewski <ray@comarre.com>
Cc: Kirk Schroeder <kirkschr@pacbell.net>, debian-firewall@lists.debian.org
Subject: Re: DMZ
From: Cory Petkovsek <coryp@petersen-arne.com>
Date: Fri, 11 May 2001 19:55:23 -0700
Message-id: <[🔎] 20010511195523.B4242@cory-l>
In-reply-to: <2.2.32.20010512132225.00cea5ac@[192.168.1.23]>; from ray@comarre.com on Sat, May 12, 2001 at 06:22:25AM -0700
References: <2.2.32.20010512132225.00cea5ac@[192.168.1.23]>

On Sat, May 12, 2001 at 06:22:25AM -0700, Ray Olszewski wrote:
> You do need 3 NICs to do this safely, BTW; Cory's reply omitted the one that
> the DSL router connects to (at least here in PacBell territory). Sometimes
> people fake DMZs with IP aliasing on the internal NIC, but doing it this way
> defeats the security purpose of having a DMZ.

My reply (and my current setup) does have a nic that connects to the dsl router.  I have IP aliasing on the external nic, not the internal.  Aliasing the internal wouldn't do much good for security purposes.  The drawing I made actually excluded the switches, here's a more accurate rendition:


              aaa.bbb         /------dmz server1 10.1.x
internet -- dsl router -- dmz-switch
                            /
                           /
       firewall-eth1-------
        eth0
         \          10.0.x
          \---internal lan switches
         
eth1 is aliased to aaa.bbb and 10.1.x.  If a dmz server is cracked, my internal network traffic still cannot be dumped.

Ray, is this unsafe?  Do you see a problem with my setup?  I am certainly open to constructive criticism.

Cory


> 
> At 10:16 PM 5/10/01 -0700, Kirk Schroeder wrote:
> >
> >Hello Debian People:
> >I was wondering if I can do this with Debian. I have a small LAN at home
> >that consist of several computers hooked up to the Inet with DSL. I am
> >currently using coyote linux LRP as my NAT/firewall. I want to run a web
> >server and I don't feel like letting port 80 into my private LAN, maby I
> >am paranoid :) My firewall computer is an 486/133MHZ with 32 megs of ram
> >it has 2 pci NICS in it. Can I add a third NIC and set this up as a DMZ
> >to my web server? Also I need to use NAT as I only have one dynamic IP
> >address. I would like to know how to do this or point me in the right
> >direction to find info.
> 
> 
> 
> --
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski                                        -- Han Solo
> Palo Alto, CA           	 	         ray@comarre.com        
> ----------------------------------------------------------------
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: DMZ
  - From: Mike Fedyk <mfedyk@matchmail.com>

References:
- Re: DMZ
  - From: Ray Olszewski <ray@comarre.com>

Prev by Date: Re: DMZ
Next by Date: Re: DMZ
Previous by thread: Re: DMZ
Next by thread: Re: DMZ
Index(es):
- Date
- Thread