Hello all, following i want to use for internet topology: Internet | eth0 62.153.xxx.190/255.255.255.192 Router outside eth1 (internal DMZ) 62.153.xxx.134/255.255.255.224 | Mailserver (all Server in the DMZ should have official IP's like above eth1 (internal DMZ interface) | DNS-Server | WWW-Server | eth0 62.153.xxx.133/255.255.255.224) to DMZ Router inside/Firewall eth0 (local Lan) 192.168.2.29 | | Local Network (official IPs) It's only an Idea from me, is it possible to set up the DMZ like this, I've an ip-range of 64 addresses ( network 62.153.xxx.128/255.255.255.192) Outside of the DMZ there are more WWW-Server, only one of these should be in the DMZ, because on this host are running some special software. If i try it like this, i've problems with the routing, the DMZ is pingable from the "Router outside" but i can't reach the Internet from this Router. Perhaps some people can help me set up the routing correctly and perhaps could tell (explain) me the mistakes i make! Thanxs a lot greetings Ralf
Hi Ralf, I would set up the network like this: * 1 Router/firewall with 3 Network-cards, one for external, one for dmz and one for internal. * give the internal Net Private IP's and masquerade them * let the firewall control access to you dmz by denying everything you don't need for the special kind of server you have * if you'd like even more security then you could still place another firewall (I'd use a different OS on this one) between your outside-firewall and your internal network (if that's what you intended with your solution) This is how I'd do it. Greetings, Ralf Ronneburger Ralf Freisinger schrieb:
Hello all,
following i want to use for internet topology:
Internet | eth0 62.153.xxx.190/255.255.255.192 Router outside eth1 (internal DMZ) 62.153.xxx.134/255.255.255.224 | Mailserver (all Server in the DMZ should have official IP's like above eth1 (internal DMZ interface) | DNS-Server | WWW-Server | eth0 62.153.xxx.133/255.255.255.224) to DMZ Router inside/Firewall eth0 (local Lan) 192.168.2.29 | | Local Network (official IPs)
It's only an Idea from me, is it possible to set up the DMZ like this, I've an ip-range of 64 addresses ( network 62.153.xxx.128/255.255.255.192) Outside of the DMZ there are more WWW-Server, only one of these should be in the DMZ, because on this host are running some special software. If i try it like this, i've problems with the routing, the DMZ is pingable from the "Router outside" but i can't reach the Internet from this Router.
Perhaps some people can help me set up the routing correctly and perhaps could tell (explain) me the mistakes i make!
Thanxs a lot
greetings Ralf
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Ralf Freisinger
-
Ralf Ronneburger