Mailinglist Archive: opensuse (2629 mails)
|< Previous||Next >|
Re: [SLE] firewals 2 and DMZ
- From: warrl@xxxxxxxxx (Don Edwards)
- Date: Mon, 1 May 2000 22:18:20 -0700
- Message-id: <00050122582602.02363@warrl>
On Mon, 01 May 2000, Jack Zimmermann wrote:
> I have a problem with setting up a firewall. I have three ethernet cards in my
> firewall and have setup the internal LAN and the external WAN and everything
> works ok. But when I try to setup the DMZ I can not connect to anything on WAN
> from the firewall machine or the internal network. The firewall has a real ip
> number, for this example lets say 184.108.40.206 and I have set the webserver on
> the DMZ to 220.127.116.11. The internal LAN is set to a private ipnumber serie
> 192.168.1.1-254. Should the machines on the DMZ use real ip numbers? Any tip
> on how to set it up?
First, I'm going to make a couple statements about your setup.
Information you didn't give us, but I am fairly confident of from
what you say. If I miss on those, then there is something I didn't
expect and am not aware of going on... one such option would be
that your ISP is using switches rather than routers, which will
affect the IP address dynamics but I don't know exactly how... correct
me where I'm wrong and maybe someone can figure it out.
(Or, alternatively, you were given ONE fixed IP address and are
nonetheless trying to use TWO. This won't work, or if it does, you
can't rely on it to work for long. Stop it. Of the options I use
below, choose option 1.)
1. You were assigned addresses 1-5. Your ISP gave you a default
router of 6. (I'm skipping the first three bytes of the addresses.
2. Your netmask is 255.255.255.248.
If that's true, you have four options:
Option 1. Use IP forwarding and assign your DMZ another private
Option 2. Configure your firewall machine to act as a bridge, rather
than a router, between the WAN and the DMZ. I don't know how to do
this, or even if the software is readily available.
Option 3. If you have a concentrator between the WAN and your
firewall, or a crossover ethernet cable that you could replace with a
pair of standard cables and a concentrator, you can move boxes from
your DMZ to the WAN side.
Option 4. Change your netmask to 255.255.255.252. Move the WAN card
in your firewall to address 5. Move the DMZ card in your firewall to
address 1 or 2, and move your DMZ server (you only get one) to the
other one of those two addresses. Make sure that the firewall is the
default router for the machine in the DMZ and all machines on your
local private network.
Now if you are being extravagant, your ISP might have given you a
block of 13 addresses with a netmask ending with 240. In which case
the router would be address 14. You can subnet with a netmask of
248, giving blocks of 1-6 and 9-14, the latter including the
ISP's router. That lets you have five machines in your DMZ, and - if
your hardware supports it - three more machines on the WAN side of
And of course larger blocks can be dealt with along the same pattern.
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
|< Previous||Next >|