Re: DMZ
On Sat, May 12, 2001 at 06:22:25AM -0700, Ray Olszewski wrote:
> You do need 3 NICs to do this safely, BTW; Cory's reply omitted the one that
> the DSL router connects to (at least here in PacBell territory). Sometimes
> people fake DMZs with IP aliasing on the internal NIC, but doing it this way
> defeats the security purpose of having a DMZ.
My reply (and my current setup) does have a nic that connects to the dsl router. I have IP aliasing on the external nic, not the internal. Aliasing the internal wouldn't do much good for security purposes. The drawing I made actually excluded the switches, here's a more accurate rendition:
aaa.bbb /------dmz server1 10.1.x
internet -- dsl router -- dmz-switch
/
/
firewall-eth1-------
eth0
\ 10.0.x
\---internal lan switches
eth1 is aliased to aaa.bbb and 10.1.x. If a dmz server is cracked, my internal network traffic still cannot be dumped.
Ray, is this unsafe? Do you see a problem with my setup? I am certainly open to constructive criticism.
Cory
>
> At 10:16 PM 5/10/01 -0700, Kirk Schroeder wrote:
> >
> >Hello Debian People:
> >I was wondering if I can do this with Debian. I have a small LAN at home
> >that consist of several computers hooked up to the Inet with DSL. I am
> >currently using coyote linux LRP as my NAT/firewall. I want to run a web
> >server and I don't feel like letting port 80 into my private LAN, maby I
> >am paranoid :) My firewall computer is an 486/133MHZ with 32 megs of ram
> >it has 2 pci NICS in it. Can I add a third NIC and set this up as a DMZ
> >to my web server? Also I need to use NAT as I only have one dynamic IP
> >address. I would like to know how to do this or point me in the right
> >direction to find info.
>
>
>
> --
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski -- Han Solo
> Palo Alto, CA ray@comarre.com
> ----------------------------------------------------------------
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- Follow-Ups:
- Re: DMZ
- From: Mike Fedyk <mfedyk@matchmail.com>
- References:
- Re: DMZ
- From: Ray Olszewski <ray@comarre.com>