Hello everybody. I'm using the suse-firewall for quite a long time to protect our internal Computers and to use masquerading. Now I had been asked to integrate a WEB-server who will be seen from the Internet. My actual config is the following: INET1 INET2 | | SUSEFIREWALL | Internal Network INET1 is a cheap flatrate used by us just to surf on Internet. This line does not have a dedicated IP. INET2 is an expensive line with 14 official IPs The default-route is set to INET1 Just some very specific routes are set to INET2 in order to pass some trusted firewalls. Now I have two possibilities to realize my plans: ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------- The first one is a cheap non secure solution, so I don't want to use this one: INET1 INET2 | | | |---------------- WEB-SERVER | | SUSEFIREWALL | Internal Network This would work, if I would set the default-route on the WEBsrv to the INET2-Router. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------- The second one, which appears to be correct: INET1 INET2 | | SUSEFIREWALL--------------- WEB-SERVER (in a DMZ) | Internal Network But here I have some general problems to which I didn't found any solution yet. Which Network/Subnetmask must I use for the DMZ?? - Must I use the same as my official IP-Range given by my provider? - Or must I split the official Range in two different subnets, so that I can route all IP-Traffic? I can split the 255.255.255.240 into 2 * 255.255.255.248. - Or must I just use another privat IP-Range for my DMZ? In this case must I give my eth0 (on Inet2) severel official IPs? One for each server in the DMZ? What's about the route-settings? When the answer of the WEBsrv comes back to the firewall, it would go out to Internet by the default-route on INET1 and not on INET2! Has somebody allready realized a similar firewall? Thank you very much for all kind of advice. Marco Maier
Read Marc's FAQ in SuSEfirewall documentation Q: I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? A: Same principle as above. Lets say your web server has got an official IP address of 1.1.1.1 which you received from your ISP. You would just configure FW_FORWARD_TCP like this: FW_FORWARD="0/0,1.1.1.1,tcp,80" ----- Original Message ----- From: "Marco Maier" <mmaier@blue-tec.net> To: <suse-security@suse.com> Sent: Saturday, November 03, 2001 4:08 AM Subject: [suse-security] Susefirewall and DMZ
Hello everybody.
I'm using the suse-firewall for quite a long time to protect our internal Computers and to use masquerading. Now I had been asked to integrate a WEB-server who will be seen from the Internet.
My actual config is the following:
INET1 INET2 | | SUSEFIREWALL | Internal Network
INET1 is a cheap flatrate used by us just to surf on Internet. This line does not have a dedicated IP. INET2 is an expensive line with 14 official IPs
The default-route is set to INET1 Just some very specific routes are set to INET2 in order to pass some trusted firewalls.
Now I have two possibilities to realize my plans:
-------------------------------------------------------------------------- -- -------------------------------------------------------------------------- -- -------
The first one is a cheap non secure solution, so I don't want to use this one:
INET1 INET2 | | | |---------------- WEB-SERVER | | SUSEFIREWALL | Internal Network
This would work, if I would set the default-route on the WEBsrv to the INET2-Router.
-------------------------------------------------------------------------- -- -------------------------------------------------------------------------- -- -------
The second one, which appears to be correct:
INET1 INET2 | | SUSEFIREWALL--------------- WEB-SERVER (in a DMZ) | Internal Network
But here I have some general problems to which I didn't found any solution yet.
Which Network/Subnetmask must I use for the DMZ?? - Must I use the same as my official IP-Range given by my provider? - Or must I split the official Range in two different subnets, so that I can route all IP-Traffic? I can split the 255.255.255.240 into 2 * 255.255.255.248. - Or must I just use another privat IP-Range for my DMZ? In this case must I give my eth0 (on Inet2) severel official IPs? One for each server in the DMZ?
What's about the route-settings? When the answer of the WEBsrv comes back to the firewall, it would go out to Internet by the default-route on INET1 and not on INET2!
Has somebody allready realized a similar firewall? Thank you very much for all kind of advice.
Marco Maier
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Alex Levit -
Marco Maier