Firstly, I speak as a non-expert who has been wrestling with a similar
problem.
Let us say eth1 is *.*.*.68. It can't be *.*.*.65, because you have
already said that your router is *.65. Then your mailserver is *.66.
If the netmask is 255.255.255.248, then all this subnet (*.64 to *.71)
is routed to eth1. You then have the problem of getting any packets to
eth0, and the router. There is a way of getting unequal subnets, one
within the other, to route correctly but I don't understand it and I
think it needs kernel modification. In any case, the smallest subnet
you can usefully define is 4 IP addresses. I am NOT an expert, but I
don't think there is any way of separately routing just 2 IPs from
within your 8 IP subnet. There is no advantage in defining a 4 IP
subnet within your 8 IP subnet as you only have 4 left anyway. Perhaps
there is a slight advantage, as you would then have *68 available, but I
don't know how to do it!
I suggest you define two subnets, firstly *.64 to *.67, leaving *.65
and *.66 available for eth0 and your router, subnet mask
255.255.255.252. (64 is network address, 67 broadcast, these are not
available to you). Second subnet is *.68 to *.71, same subnet mask.
Then *.69 can be eth1 and *.70 your mailserver. *.68 and *.71 are now
network & broadcast address for this subnet. This should work, but uses
all your public IP addresses!!
The alternative is to forget eth1 altogether and have the mail server on
the same ethernet segment as eth0 and the router, the subnet mask being
255.255.255.248 as you originally suggested. This is less secure, and
the mail server would have to be protected from the Internet by its own
Iptables (firewall2) setup. But it would leave you with 3 spare IP
addresses on the subnet, for your future servers!
--
Roger Hayter
In message <1e8b01c247b3$21ad2a70$0100a8c0@stuwo.fhheilbronn.de>,
Andreas Bittner
i am not very good at these dmz/ip/routing nd iptables stuff.. and i simply dont understand what i would have to set for my dmz ip..
the mailserver is x.x.x.66 i agree i set/leave it like that.. i set x.x.x.67 for example to the external eth0 card that connects to the isp router that has x.x.x65. eth0 a has mask of 255.255.255.248 right? and what does the DMZ eth1 have? x.x.x.65 for eaxmple with same 255.255.255.248 mask? will susefirewall2 give the packets for .66 to that eth1 card? will this all work?
can anyone help how to set the DMZ ethernet card ip/mask/gateway ? isnt anyone using this scenario more frequently?
thanks again, andy
----- Original Message ----- From: "Togan Muftuoglu"
To: Sent: Monday, August 19, 2002 8:25 PM Subject: Re: [suse-security] how can i have public IPs in the DMZ with SuSEfirewall2 * Andreas Bittner;
on 19 Aug, 2002 wrote: helo there,
i read the FAQ but you didnt anser my question... what ip/settings do i give the DMZ ehternet card on my firewall box.. so eth0 is the ip x.x.x.67, my mailserver is currently x.x.x.66 ... and this .66 needs to connect to the dmz ethernet card eth1.... so my question still is what do you need to set to eth1 if you want to use section 13 with susefirewall2 if you have public ip boxes on your dmz ethernet...
well if you are just using one ip why don't you use x.x.x.66/32
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here