Date: Fri, 15 Dec 2000 21:18:31 +0000
From: Lee
With the adsl package I will be assigned 13 IP addresses. I need to segregate one section of the network for the LAN (using NAT and to firewall it off), and another section for the 'DMZ', where 95% of the IP addresses will be used to run various net facing servers. Lee
JPC> I am assuming that your topography looks something like: <p>JPC> |---------------| |---------------| JPC> | |(ethernet1) | | JPC> | DMZ |\ | Internet | JPC> | | \ / | | JPC> |---------------| \ / |---------------| JPC> \ /ADSL | JPC> \ / | JPC> SuSE6.4 |ADSL JPC> Firewall | JPC> / \ | JPC> |---------------| / \ |---------------| JPC> | | / \ | Server Farm | JPC> | LAN | / \ |---------------| JPC> | |(ethernet2) (ethernet3) JPC> |---------------| JPC> You'll need 4 NICs in your firewall as follows JPC> You'll want to use NAT for your DMZ. JPC> You'll just want to firewall your LAN. JPC> You'll want a bridge to your Servers. (Not necessary, but keeps internal JPC> traffic internal). JPC> All default traffic hits the ADSL link. JPC> If you are using IPCHAINS, you'll want to do something like: bash>>ipchains -P input ACCEPT bash>>ipchains -P output ACCEPT bash>>ipchains -P forward DENY bash>>ipchains -A forward -b -S DMZ -j MASQ bash>>ipchains -A forward -b -S LAN -j ACCEPT JPC> You'll need to setup some routing prior to doing these rules. These rules JPC> are very loose and are not the best settings as far as securing things. JPC> Hopefully this will get you started and you'll be able to tighten things JPC> as you learn. JPC> Good Luck. JPC> =========== =========== JPC> Jonathan Paul Cowherd JPC> jpcowh01@slug.louisville.edu JPC> http://www.slug.louisville.edu/~jpcowh01 JPC> This is my world and I am... World Leader Pretend JPC> =========== ===========
From: Bernd Felsche
Hello Jonathan, All,
Perhaps someone can confirm a brainstorm for me that I just had. Not knowing the total ins and outs of ADSL, but, let's take the 13 IP addresses, and put them at the router (which I assume is what happens). Surely then I can use a 4 port hub from the ADSL router, and put one portion of it to another hub with all my servers on (each server set up with one of the 13 IPs or so), and they'd work? I could then take a feed off the same 4 port hub, plug it through the firewall, and onto the local LAN. Would this work? I could assign the suse firewall one of the 13 IPs and use NAT internally on the LAN (see diagram.)
Check out this diagram and see what you make of it.
********** *Internet*---[ADSL ROUTER] ********** | | [hub] / \ / \ / \ / \ / \ [hub] [suse firewall] / / / \ [Servers] \ [hub] \ \ \ [LAN PCs]
Regards,
Lee.
Friday, December 15, 2000, 8:56:40 PM, you wrote:
With the adsl package I will be assigned 13 IP addresses. I need to segregate one section of the network for the LAN (using NAT and to firewall it off), and another section for the 'DMZ', where 95% of the IP addresses will be used to run various net facing servers. Lee
JPC> I am assuming that your topography looks something like:
JPC> |---------------| |---------------| JPC> | |(ethernet1) | | JPC> | DMZ |\ | Internet | JPC> | | \ / | | JPC> |---------------| \ / |---------------| JPC> \ /ADSL | JPC> \ / | JPC> SuSE6.4 |ADSL JPC> Firewall | JPC> / \ | JPC> |---------------| / \ |---------------| JPC> | | / \ | Server Farm | JPC> | LAN | / \ |---------------| JPC> | |(ethernet2) (ethernet3) JPC> |---------------|
Security is never easy. If it is, it's not secure. I would advise against that topology unless you're also treating the (ethernet3) segment as a DMZ. A direct ADSL connection is of little benefit, if any, as you only have the one wire carrying all ADSL traffic coming out of the building anyway. Keep the server farm in a DMZ and have the firewall respond to all the useful assigned IP addresses, forwarding to corresponding servers as necessary. It would also be a good idea (IMHO) to set up an "internal" firewall for the NAT on your LAN. That is to simplify the filtering on the "front" firewall and to make both firewalls more secure. -- /"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia \ / ASCII ribbon campaign | I'm a .signature virus! | X against HTML mail | Copy me into your ~/.signature| / \ and postings | to help me spread! |
participants (2)
-
bernie@innovative.iinet.net.au
-
lee@smallbone.com