Setting up firewall with DMZ
Hi All I'm facing a new situation. A company need to add to their current network a DMZ zone. Currently there is ADSL-modem with firewall, and LAN with C-class networking. The ADSL/firewall is visible with IP 192.168.0.254. Now I would like to connect a SuSEfirewall2 with DMZ between the ADSL/firewall and the LAN, thus enabling a DMZ zone with a web-shop application. Could someone quide me with subnets, what to choose.. I'm little puzzled here... I believe the DMZ should have either A or B class..? Should I change the ADSL also to for example A-class, so that I would have first A-class coming inward from the ADSL, then B-class for the DMZ, and C-class for the LAN? TIA Jaska.
/ 2004-01-09 15:21:19 +0200 \ Jaakko Tamminen:
Hi All
I'm facing a new situation.
A company need to add to their current network a DMZ zone.
Currently there is ADSL-modem with firewall, and LAN with C-class networking. The ADSL/firewall is visible with IP 192.168.0.254.
Now I would like to connect a SuSEfirewall2 with DMZ between the ADSL/firewall and the LAN, thus enabling a DMZ zone with a web-shop application.
Could someone quide me with subnets, what to choose.. I'm little puzzled here...
I believe the DMZ should have either A or B class..?
Should I change the ADSL also to for example A-class, so that I would have first A-class coming inward from the ADSL, then B-class for the DMZ, and C-class for the LAN?
there is more to ip routing than just A,B,C ... iiuc, you have now [ LAN: 192.168.0.0/24 ], expecting their default gw at 192.168.0.254 so you could choose to put in your FW: 192.168.0.254 here, and connect it additionally to for example your [ DMZ: 192.168.77.0/24 ] as well as via the third nic to your ADSL router, which you could reconfigure to announce itself as 192.168.33.42 ... that way you won't even need to reconfigure your existing lan clients. you end up with extern-ADSL-intern | 192.168.33.42 | `- 192.168.33.1 - SuSE FW - 192.168.77.254 / \ 192.168.0.254 DMZ / \- 192.168.77.1 - server1 LAN \- 192.168.77.2 - server2 box1 - 192.168.0.1 -/ \- 192.168.77.3 - server3 box2 - 192.168.0.2 -/ box3 - 192.168.0.3 -/ both DMZ and LAN may be distinct class C networks you of course can choose otherwise, and use 10.2.4.8/16 for the DMZ, if you like :) hth, Lars Ellenberg
Hi Lars Thank You for the answer. I was not sure how to set it up to avoid problems later... This was exactly what I was looking for. Jaska.
you end up with
extern-ADSL-intern
| 192.168.33.42
`- 192.168.33.1 - SuSE FW - 192.168.77.254 / \ 192.168.0.254 DMZ / \- 192.168.77.1 - server1 LAN \- 192.168.77.2 - server2 box1 - 192.168.0.1 -/ \- 192.168.77.3 - server3 box2 - 192.168.0.2 -/ box3 - 192.168.0.3 -/
both DMZ and LAN may be distinct class C networks you of course can choose otherwise, and use 10.2.4.8/16 for the DMZ, if you like :)
hth,
Lars Ellenberg
participants (3)
-
Jaakko Tamminen
-
jaska
-
Lars Ellenberg