Read Marc's FAQ in SuSEfirewall documentation
Q: I have set a web server in my DMZ. How do I configure SuSEfirewall2 to
let
people on the internet access my pages?
A: Same principle as above. Lets say your web server has got an official
IP address of 1.1.1.1 which you received from your ISP. You would just
configure FW_FORWARD_TCP like this:
FW_FORWARD="0/0,1.1.1.1,tcp,80"
----- Original Message -----
From: "Marco Maier"
Hello everybody.
I'm using the suse-firewall for quite a long time to protect our internal Computers and to use masquerading. Now I had been asked to integrate a WEB-server who will be seen from the Internet.
My actual config is the following:
INET1 INET2 | | SUSEFIREWALL | Internal Network
INET1 is a cheap flatrate used by us just to surf on Internet. This line does not have a dedicated IP. INET2 is an expensive line with 14 official IPs
The default-route is set to INET1 Just some very specific routes are set to INET2 in order to pass some trusted firewalls.
Now I have two possibilities to realize my plans:
-------------------------------------------------------------------------- -- -------------------------------------------------------------------------- -- -------
The first one is a cheap non secure solution, so I don't want to use this one:
INET1 INET2 | | | |---------------- WEB-SERVER | | SUSEFIREWALL | Internal Network
This would work, if I would set the default-route on the WEBsrv to the INET2-Router.
-------------------------------------------------------------------------- -- -------------------------------------------------------------------------- -- -------
The second one, which appears to be correct:
INET1 INET2 | | SUSEFIREWALL--------------- WEB-SERVER (in a DMZ) | Internal Network
But here I have some general problems to which I didn't found any solution yet.
Which Network/Subnetmask must I use for the DMZ?? - Must I use the same as my official IP-Range given by my provider? - Or must I split the official Range in two different subnets, so that I can route all IP-Traffic? I can split the 255.255.255.240 into 2 * 255.255.255.248. - Or must I just use another privat IP-Range for my DMZ? In this case must I give my eth0 (on Inet2) severel official IPs? One for each server in the DMZ?
What's about the route-settings? When the answer of the WEBsrv comes back to the firewall, it would go out to Internet by the default-route on INET1 and not on INET2!
Has somebody allready realized a similar firewall? Thank you very much for all kind of advice.
Marco Maier
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com