* gabriel rivera wrote on Fri, Jun 15, 2001 at 18:05 -0500:
SuseFW DMZ nic switched to webservers IP 10.0.0.1 <=======> IP 1.2.3.43 to 1.2.3.46 Mask 255.255.255.0 mask 255.255.255.248
I am assuming that the netmask for the webservers do not change although They are on a separate physical network from 2 other hosts on their subnet. These are CIDR IP's from my ISP.
In this configuration the firewall would not be able to do even a PING, since both machines are in different networks. You would need a i.e. 10.0.0.2 alias on Webserver or maybe some host route to the firewall (I'm not sure if you can configure that, maybe you get a "network unreachble" when trying this).
Also, should the gateway for the servers in the DMZ be external interface or dmz interface of my SuSEfirewall machine?
For DMZ configurations, you have either two firewalls (the DMZ is the network between both firewalls) or a firewall with tree network apdapters (you have one external, one internal and one DMZ network in this case). Configuration of the second possibility is slightly more difficult but of course it's cheaper. If you have i.e. eight IPs from the leased line, you could request more IPs of course :) You can split your 8 netblock into 2 4er netblock, each has only two useable IPs. When dropping broadcast (usually not needed) you could use 3 addresses. The lowest IP of the network is usually the network itself. You can use that IP too, if you use hostroutes only. Then you could configure for .0-.7 as: - Net1: .0-.3 leased line router .1, your firewall .2 - net2: .4/32 (hostroute) to webserver - net3: .5/32 (hostroute) to mailserver(?) 4: .6 5: .7 Behind the firewall you get 4 usable IPs. To make routeing work, you could give eth0 and eth1 the same IP (.2) and work via hostroutes, or use some IPs from 10.x.x.x... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.