Re: DMZ

To: "Michael R. Schwarzbach" <spg@fs.tum.de>
Cc: Debian Firwall list <debian-firewall@lists.debian.org>
Subject: Re: DMZ
From: Cory Petkovsek <coryp@petersen-arne.com>
Date: Fri, 11 May 2001 10:18:48 -0700
Message-id: <[🔎] 20010511101848.B3702@cory-l.petersen-arne.com>
In-reply-to: <[🔎] GHEHLBHGPIHFKHMAMJOEGEGPCAAA.spg@fs.tum.de>; from spg@fs.tum.de on Fri, May 11, 2001 at 01:24:52PM +0200
References: <[🔎] 20010510221658.B21594@pacbell.net> <[🔎] GHEHLBHGPIHFKHMAMJOEGEGPCAAA.spg@fs.tum.de>

Actually 3 nics isn't necessary.  Here's my setup:

internet <--> dsl router <--> firewall eth0--> 10.0.x.x lan
           aaa.bbb.ccc.ddd<-- eth1 --> 10.1.x.x dmz

eth1 is aliased on aaa.x and 10.1.x where aaa.x is a public ip. However, you do need 3 subnets, I just have two subnets on the external nic.

The caveat?  Anything on the lan segment between the dsl router and the firewall can dump the traffic that goes to the dmz or internet.  However, I'm not concerned about that traffic, as the dmz untrusted anyway, and that particular segment is all in house.  

I'm using iptables, because the ipchains ruleset for the above is more involved.  The stateful ruleset is simpler, although may take a little study. (at least it did for me).

Plus with iptables you can easily do destination nat (portforwarding) and masquerading, without messing with ipmasqadm.  See samba.netfilter.org for the howtos.


Cory


On Fri, May 11, 2001 at 01:24:52PM +0200, Michael R. Schwarzbach wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi
> 
> absolutly no problem.
> you simply need 3 nics and 3 different subnets.
> the rest is ipchains.
> www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
> 
> Michael Schwarzbach
>  
> +--------------------------------------------------+
> |  /"\                                             |
> |  \ /                                             |
> |   X  ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL   |
> |  / \                                             |
> `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
> 
> 
> 
> > -----Original Message-----
> > From: Kirk Schroeder [mailto:kirkschr@pacbell.net]
> > Sent: Freitag, 11. Mai 2001 07:17
> > To: debian-firewall@lists.debian.org
> > Subject: DMZ
> > 
> > 
> > 
> > Hello Debian People:
> > I was wondering if I can do this with Debian. I have a small LAN at
> > home that consist of several computers hooked up to the Inet with
> > DSL. I am currently using coyote linux LRP as my NAT/firewall. I
> > want to run a web server and I don't feel like letting port 80 into
> > my private LAN, maby I am paranoid :) My firewall computer is an
> > 486/133MHZ with 32 megs of ram it has 2 pci NICS in it. Can I add a
> > third NIC and set this up as a DMZ to my web server? Also I need to
> > use NAT as I only have one dynamic IP address. I would like to know
> > how to do this or point me in the right direction to find info.
> > 
> > Kirk Schroeder
> > 
> > 
> > --
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
> <http://www.pgp.com>
> 
> iQA/AwUBOvvL4TeukclbyP03EQLhpQCg+W2eLaMukr20tvsW7t94wpQd3FkAnitQ
> oS5wolu15G3spGuuLeRU1dU5
> =C36J
> - -----END PGP SIGNATURE-----
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBOvvMAjeukclbyP03EQICLACfZmiKs+LiMTzm4IL5qXX1uNO2hRgAnjM6
> CyCKs3YaGR0Jg4rVmGswBGhz
> =DjaG
> -----END PGP SIGNATURE-----
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- DMZ
  - From: Kirk Schroeder <kirkschr@pacbell.net>
- RE: DMZ
  - From: "Michael R. Schwarzbach" <spg@fs.tum.de>

Prev by Date: RE: DMZ
Next by Date: Re: DMZ
Previous by thread: RE: DMZ
Next by thread: Re: DMZ
Index(es):
- Date
- Thread