[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EXT/INT/DMZ topology with small subnet from ISP: SOLVED

Stan Kaufman wrote:

> (Actually, as I think about it, I don't understand this
> diagram, since it shows static, public ip addresses in the DMZ yet uses
> PPP to connect to the ISP.)

It is possible to assign a static IP over a PPP connection. I worked for
an ISP years ago and we did that fairly often. People would pay an
additional $25/mo. just to get a static IP on their dialup line. We
would just associate that person's UID with a particular IP in the

> 1. Just IPMASQ the DMZ (like GOOD) and portforward the services you want
> to run in the DMZ.
> This sidesteps the problem and may be the preferred solution; I'm
> interested in hearing how many people out there host their servers in
> this way. However, it fails to use the extra ip addresses (unless you
> alias them to the firewall box and statically translate them into the
> DMZ, but it's unclear to me how this is superior to the simple IPMASQ
> solution).

This doesn't allow multiple machines to provide a service on the same
port. For example, you might want to allow for primary and secondary
mail and DNS servers, or something like that.

> 3. Forget this topology and just expose the web/mail/etc hosts in EXT.
> Very simple and certainly a fallback. By running IPCHAINS on each
> exposed host, you get basically the same result as the DMZ filtering
> from the target topology. I suspect a lot (most?) people do this. If I
> hadn't managed to get things to work, I would have done this. Perhaps
> this is the preferred solution. Still, I wasn't happy giving up without
> figuring this out ;-)

I'm using this setup on one network that I admin. It's a slight hassle
to have to modify the ipchains rules for each machine, but since it's a
small installation and fairly static, it works well. I do regular
security audits and port scans to make sure things are still as they
should be.

Bryan Voss
    PGP Key: http://www.vosswerx.com/bvoss/pgpkey.txt

Reply to: