On Mon, 01 May 2000, Jack Zimmermann wrote:
I have a problem with setting up a firewall. I have three ethernet cards in my firewall and have setup the internal LAN and the external WAN and everything works ok. But when I try to setup the DMZ I can not connect to anything on WAN from the firewall machine or the internal network. The firewall has a real ip number, for this example lets say 213.212.8.1 and I have set the webserver on the DMZ to 213.212.8.2. The internal LAN is set to a private ipnumber serie 192.168.1.1-254. Should the machines on the DMZ use real ip numbers? Any tip on how to set it up?
First, I'm going to make a couple statements about your setup. Information you didn't give us, but I am fairly confident of from what you say. If I miss on those, then there is something I didn't expect and am not aware of going on... one such option would be that your ISP is using switches rather than routers, which will affect the IP address dynamics but I don't know exactly how... correct me where I'm wrong and maybe someone can figure it out. (Or, alternatively, you were given ONE fixed IP address and are nonetheless trying to use TWO. This won't work, or if it does, you can't rely on it to work for long. Stop it. Of the options I use below, choose option 1.) Statements. 1. You were assigned addresses 1-5. Your ISP gave you a default router of 6. (I'm skipping the first three bytes of the addresses. 2. Your netmask is 255.255.255.248. If that's true, you have four options: Option 1. Use IP forwarding and assign your DMZ another private network. Option 2. Configure your firewall machine to act as a bridge, rather than a router, between the WAN and the DMZ. I don't know how to do this, or even if the software is readily available. Option 3. If you have a concentrator between the WAN and your firewall, or a crossover ethernet cable that you could replace with a pair of standard cables and a concentrator, you can move boxes from your DMZ to the WAN side. Option 4. Change your netmask to 255.255.255.252. Move the WAN card in your firewall to address 5. Move the DMZ card in your firewall to address 1 or 2, and move your DMZ server (you only get one) to the other one of those two addresses. Make sure that the firewall is the default router for the machine in the DMZ and all machines on your local private network. Now if you are being extravagant, your ISP might have given you a block of 13 addresses with a netmask ending with 240. In which case the router would be address 14. You can subnet with a netmask of 248, giving blocks of 1-6 and 9-14, the latter including the ISP's router. That lets you have five machines in your DMZ, and - if your hardware supports it - three more machines on the WAN side of your firewall. And of course larger blocks can be dealt with along the same pattern. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/