[Gllug] Firewalling
Daniel Fairs
daniel.fairs at spiderplant.net
Thu Aug 23 13:45:52 UTC 2001
Aha - that all looks quite logical. Thanks :).
Dan
> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of Dan Kolb
> Sent: 23 August 2001 14:39
> To: gllug at linux.co.uk
> Subject: RE: [Gllug] Firewalling
>
>
> On Thu, 23 Aug 2001, Daniel Fairs wrote:
>
> > Sure, the publicly accessible servers need 'real' IP addresses.
> However, is
> > there any reason to give the NIC for the DMZ a public IP, as it
> will have a
> > public NIC anyway? So, to conclude, the 'internal' NIC and the DMZ NIC
> > should be DHCP'd, the external NIC should have a real IP, and
> the machines
> > in the DMZ should (of course) have a real IP. Correct?
>
> Not quite. The machines in the DMZ (including the firewall) need to be on
> the same subnet, otherwise the can't communicate with each other.
>
> Let's say, for the sake of example, that your internal network is
> 192.168.0.*, and your ISP has given you IP addresses 1.1.1.0 to 1.1.1.8
> (subnet mask 255.255.255.248). Now, .0 and .8 are unusable (network and
> broadcast addresses respectively). So, give your card plugged into the
> ADSL connection and IP address of 1.1.1.1. Give your card plugged into
> your internal network an IP address of 192.168.0.1, and set it up for
> masquerading. Now give your DMZ network card an IP address of 1.1.1.2, and
> your DMZ machines IP addresses between 1.1.1.3 and 1.1.1.7, setting their
> default routes to 1.1.1.2. Then you need to set up your firewall so that
> any packets destined for 1.1.1.[3-7] get forwarded to the DMZ network
> card, and any from those IP addresses get forwarded to your external card,
> with appropriate firewalling rules.
>
> Sorry if it hasn't made it any clearer, or if it's complete crap. I hope
> it's not :-)
>
> Dan
> --
> dankolb at ox.compsoc.net
>
> --I reserve the right to be completely wrong about any comments or
> opinions expressed; don't trust everything you read above--
>
>
> --
> Gllug mailing list - Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list