[Wolves] Same machine : 2 Nic's -- 1 DMZ 1 LAN

Andy Wootton andy.wootton at wyrley.demon.co.uk
Fri Jan 7 10:45:09 GMT 2005

lists at leejordan.org.uk wrote:

>Guys, Gals, 
>Firewall/Routing/Lan with DMZ. I'm about to get a netgear router to replace my
>smoothie box so I can use that as a file server.
>Question 1: Is it possible to have two NIC's on one server and have eth0 say on
>the internal network and eth1 on a DMZ external facing.
>Question 2: Is that safe and is there any risk of the DMZ getting access to
>other ports, can I port forward from the firewall/router to a specific NIC or
>mac address on the server and if the server has Linux/IPTables can I restrict
>the DMZ NIC to one port only?
>Question 3: is any of that easy without Smoothie as a router?
>I'm on the edge of my knowledge, which usually leads to ideas that never become
>reality, but I'm just curious. I could just get another machine for cheap
>money. I've googled for it, got lots of irrelevenat stuff, maybe my bad search.
>Can anyone point me to How To's etc that deal with this specificly? Curious
>idea, interesting, prolly not gonna work, worth a shot.

I found there was better advice on concepts in the OpenBSD docs:
http://www.openbsd.org/faq/pf/ but you'll have to interpret it in terms
of iptables.

Someone pointed out this nice alternative to Smoothwall

I hope noone objects to me talking about BSD in a LUG but I think Unix
is Unix. An Emo Phillips joke  comes to mind. (1st one) at

Q1 That is the simplest option and the one I'm going for. My ADSL
router has a basic firewall so I'm considering the bit between that and
the firewall/router to be a pseudo DMZ. A true DMZ requires either two
router/firewalls with two interfaces or one router/firewall with 3
interfaces and very careful configuration. A box on the outside can only
talk to the DMZ. A box on the inside can only talk to the DMZ. This is
typically used for an outward facing web server on the DMZ sucking data
from an internal database.

A very well publicised security breach happened because someone forgot
to delete a test database of credit card numbers from the web server
after the DMZ was implemented.


More information about the Wolves mailing list