[Gllug] Firewalling
Dan Kolb
daniel.kolb at corpus-christi.oxford.ac.uk
Thu Aug 23 13:39:12 UTC 2001
On Thu, 23 Aug 2001, Daniel Fairs wrote:
> Sure, the publicly accessible servers need 'real' IP addresses. However, is
> there any reason to give the NIC for the DMZ a public IP, as it will have a
> public NIC anyway? So, to conclude, the 'internal' NIC and the DMZ NIC
> should be DHCP'd, the external NIC should have a real IP, and the machines
> in the DMZ should (of course) have a real IP. Correct?
Not quite. The machines in the DMZ (including the firewall) need to be on
the same subnet, otherwise the can't communicate with each other.
Let's say, for the sake of example, that your internal network is
192.168.0.*, and your ISP has given you IP addresses 1.1.1.0 to 1.1.1.8
(subnet mask 255.255.255.248). Now, .0 and .8 are unusable (network and
broadcast addresses respectively). So, give your card plugged into the
ADSL connection and IP address of 1.1.1.1. Give your card plugged into
your internal network an IP address of 192.168.0.1, and set it up for
masquerading. Now give your DMZ network card an IP address of 1.1.1.2, and
your DMZ machines IP addresses between 1.1.1.3 and 1.1.1.7, setting their
default routes to 1.1.1.2. Then you need to set up your firewall so that
any packets destined for 1.1.1.[3-7] get forwarded to the DMZ network
card, and any from those IP addresses get forwarded to your external card,
with appropriate firewalling rules.
Sorry if it hasn't made it any clearer, or if it's complete crap. I hope
it's not :-)
Dan
--
dankolb at ox.compsoc.net
--I reserve the right to be completely wrong about any comments or
opinions expressed; don't trust everything you read above--
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list