[Sussex] ipchains help please

Steve Dobson SDobson at manh.com
Fri Feb 28 15:35:02 UTC 2003 

Neil

On 28 February 2003 at 14:40 Neil Ford wrote:
> On Fri, 28 Feb 2003 04:12:14 -0500, Steve Dobson wrote:
> > 1). Your ISP has assigned to you a single [dynamic] IP address
> >     for your network. (The configuration for a home user).
> >     If so you cannot have a DMZ; as only one machine on your network
> >     is given an address that the rest of the internet can talk to.
> >     The connection machine must masquerade for all your other
> >     machines.  From other parts of your posting this is what
> >     I will assume.
> 
> Not strictly true.
> 
> IPCop manages quite well to have a DMZ on only one assigned static IP. 
> Incoming requests come into the IPCop box and it forwards them onto the 
> appropriate machine. Works quite well to. By not allowing machines in 
> your DMZ to initiate connections to your private network you keep 
> things nice and neat.
> 
> Of course to some, this isn't necessarily what would be classified as a 
> DMZ.

And I would be one of them.  In the a "true" DMZ you could have two (or
more)
servers providing the same protocol (HTTP for example).  Both would be
visible
from the Internet at large.  With a single IP address how would IPCop (or
any
router) know which packets go to 10.0.0.1:80 and which go to 10.0.0.2.80?

My understanding is that IPCop can be used to set up a VPN.  This changes
things
because the other end of the VPN is "part" of your network.  The VPN acts as
a private tied line between the two sites.  If you don't trust the other
site
then you may well install a DMZ between the VPN link and a firewall.  The
DMZ would then be on a private network.

The original question talked about an ISP not a VPN - so I didn't even
consider
this.

> In answer to the original question, dump SuSE and install IPCop, it 
> will make life so much easier.

Why through the baby out with the bathwater?  Only two bits of an otherwise
working system have to be upgraded: the kernel and iptables.  I don't like
solution where when one little problem is encountered everything has to
change.
What should he do if something that works now on the SuSE box can't be
configured on the IPCop box?  Should he write is own, complete new
solutions?

Steve

More information about the Sussex mailing list