Re: Small network with a single real IP

[Julien Stern <stern@lri.fr>]

On Tue, Nov 07, 2000 at 06:14:09PM +0100, Marcin Owsiany wrote:
> On Tue, Nov 07, 2000 at 10:20:05AM -0800, jpm@nsimail.com wrote:
> > > Should I set up two internal private subnets (one for the ftp/www),
> > > and one for the other computers? What kind of communication should I allow
> > > between them, in case the www/ftp box gets broken? Is that the way to go?
> 
> [...]
> > I don't see any benefit in having two subnets, if your FW gets broken into
> > then your whole network is in trouble anyway.
> 
> I think he means something like that:
>  - if you have two internal networks X and Y
>  - hosts x1, x2, ..., xn are connected only to network X
>  - hosts y1, y1, ..., ym are connected only to network Y
>  - host r is connected to both X and Y
>
Yes, this is what I had in mind.
Thanks to all of you for your replies. 
Things are getting clearer. I'll probably go with the following:

     +----------+
DSL--| Firewall |
     +----------+
       |      |
       |      |
      www   secure

Firewall:

* Blocks everything from outside but www and ssh2 which it forwards to www.
* Blocks everything from www to secure but ssh2
* Masquerades secure

The only problem is that I currently only have two NICs in my firewall.
Is it totally useless (security wise) to create to different subnets anyway?
Should I really buy another NIC?

Sincerely,
Julien