[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: port-fw vs. ip-aliasing

How about proxy arp and host routes?

                        eth2        eth1
Internet -- ?? DSL .1 -- .2 firewall .3 ---------- .4 DMZ1
                            10.0.0.1         |
                              eth0           |
                               |             |____ .5 DMZ2
                               |             |
                               |             |____ .6 DMZ3
                            internal net

This config will give you three ip addresses on your DMZ and you can
use regular routing to access them.

The DSL router (or whatever) probably can't easily be programmed to route
through the firewall to the DMZ machines. So use proxy arp on the
firewall to tell the router to send traffic to those addresses to the
firewall. Something like:

  arp -i eth2 -Ds x.x.x.4 eth2 pub
  arp -i eth2 -Ds x.x.x.5 eth2 pub
  arp -i eth2 -Ds x.x.x.6 eth2 pub

Then set up host routes on the firewall (with only 8 addresses you
can't really use subnets here.) Your internal machines will have the
firewall as your default gateway.

If you have the resources, you might want to consider:

                        eth1        eth0
Internet -- ?? DSL .1 -- .2 firewall .3 ---------- .4 DMZ1
                                             |
                                             |
                                             |____ .5 DMZ2
                                             |
                                             |____ .6 firewall2
                                                  eth1    10.0.0.1
                                                            eth0
                                                             |
                                                             |
                                                          internal net

I've used a config similar (16 addresses instead of 8) to the second one
at several sites.

On Wed, May 23, 2001 at 08:16:22AM +0200, T. Schlenkhoff wrote:
> It seems that Stan Kaufmann thought about the same problem here.
> To make it clear, I really appreciate a DMZ :-) but I wonder how to get the
> packets in there. At least as far as I understood the topic I have two
> choices: port-forwarding (if my mail.x.com domain and my www.x.com domain
> are on one ip-adress) or ip-aliasing (if my mail.x.com domain and my
> www.x.com domain are on different ip-adresses).
> 
> Pros & Cons:
> Port-forwarding:	+simple firewall-ruleset (thanks Cory)
> 			-one can?t access own DMZ- webservices
> 			 easily (spoofing - see Corys mail on that)
> 			-only one service per port
> ip-aliasing		-complex firewall-ruleset
> 			+can access own DMZ-webservices? (request for
> 			 confirmation here)
> 			+using all the payed ip-adresses :-)
> 
> Did I miss some important points?
> 
> Looks like forwarding is the best option - if you only need one service on
> every port.
> 
> 
> Thanks for all your feedback,
> 
> tom
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Lee Bradshaw                 lee@sectionIV.com
Texas Instruments            bradshaw@ti.com
Reply to: