[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Related Question

On Mon, Oct 22, 2001 at 07:30:56PM +0200, Alson van der Meulen wrote:
> On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote:
> > I'd recommend the former (firewalling on each server).  This will let you
> > customize the firewall for that server alone, and spread the packet
> > filtering load and logging.  Also, with no access the Cisco box, you'd
> > have to either MASQ or SNAT with proxy arps if you do insert a firewall
> > into the packet path to get the traffic to cross the firewall.  (The Cisco
> > is going to assume that the subnet with the DMZ address space is still
> > directly attached.)
> With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice
> IMO), put two ethernet cards in a box, one to cisco, second to switch
> with Debian servers, no need for an IP address at the bridge, just
> bridge and firewall.
> I'm not sure if Linux can do this, maybe there are some patches for
> iptables to do it?

Linux can do this as well - that's how the DMZ on our network is
firewalled.  I'd recommed inserting a DMZ box and using packet filtering
on each of the boxes individually.

Note that when you insert the firewall box in front of your network it
can take up to four hours for the upstream arp cache to refresh.

Of course, you could buy a hardware-based firewall to replace the DMZ
box for $2-3K, but that takes all the fun out of it.


Attachment: pgpvZ0CmW1Pzj.pgp
Description: PGP signature

Reply to: