Susefirewall and DMZ

3 Nov 2001

      Hello everybody.

I'm using the suse-firewall for quite a long time to protect our internal
Computers and to use masquerading.
Now I had been asked to integrate a WEB-server who will be seen from the
Internet.

My actual config is the following:

  	  INET1	  INET2
	     |	      |
	SUSEFIREWALL
		|
	Internal Network

INET1 is a cheap flatrate used by us just to surf on Internet. This line
does not have a dedicated IP.
INET2 is an expensive line with 14 official IPs

The default-route is set to INET1
Just some very specific routes are set to INET2 in order to pass some
trusted firewalls.

Now I have two possibilities to realize my plans:

----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------

The first one is a cheap non secure solution, so I don't want to use this
one:

  	  INET1	  INET2
	     |	      |
	     |	      |---------------- WEB-SERVER
	     |	      |
	SUSEFIREWALL
		|
	Internal Network

This would work, if I would set the default-route on the WEBsrv to the
INET2-Router.

----------------------------------------------------------------------------
----------------------------------------------------------------------------
-------

The second one, which appears to be correct:

  	  INET1	  INET2
	     |	      |
	SUSEFIREWALL--------------- WEB-SERVER (in a DMZ)
		|
	Internal Network

But here I have some general problems to which I didn't found any solution
yet.

Which Network/Subnetmask must I use for the DMZ??
	- Must I use the same as my official IP-Range given by my provider?
	- Or must I split the official Range in two different subnets, so that I
can route all IP-Traffic?
		I can split the 255.255.255.240  into 2 * 255.255.255.248.
	- Or must I just use another privat IP-Range for my DMZ?
		In this case must I give my eth0 (on Inet2) severel official IPs? One for
each server in the DMZ?

What's about the route-settings? When the answer of the WEBsrv comes back to
the firewall, it would go
out to Internet by the default-route on INET1 and not on INET2!

Has somebody allready realized a similar firewall?
Thank you very much for all kind of advice.

Marco Maier