You are AWESOME!!!
Thanks!
Cory Petkovsek wrote:
>
> Often, a DMZ is setup as three networks connected by one point. Internet,
> Lan and DMZ with the firewall connecting all three.
>
> In direct answer to your questions:
> Yes, setup your dmz as you did your internal lan, however use another IP
> network (see below).
> Yes, portfw to your internal IP dmz web server, as you probably did with your
> lan.
> Setup your DMZ as a private lan, masqueraded to the internet, and portfw
> back. Make sure to restrict only certain access between your DMZ and your
> lan! If your webserver in your DMZ is cracked, and you don't have any tight
> control between your lan and the DMZ, well it didn't do any good to have a
> DMZ in the first place. You want to be able to have your DMZ servers
> cracked, and still have a secure network. Such that if someone owns one of
> your DMZ servers, they still can't break through the firewall into your real
> network.
>
> mini howto:
> -----------
> First setup your lan and the internet. The lan has private IPs and
> masquerades (or SNAT with 2.4) to the internet, and the internet portforwards
> with ipmasq (or DNAT with 2.4) to particular ports within your network, if
> needed.
>
> Then setup your DMZ as a second private lan, ie if your LAN is a 10.0.0.0/16
> network, make your DMZ a 10.1.0.0/16 network. These are different networks,
> as denoted by the /16.
>
> Before messing with ipchains/iptables rules, make sure you can connect to,
> and forward between the networks. Make sure your routing is correct. This
> will make the next part much easier!
>
> Your rules will say something like (pseudo rules):
> #allow either lan access to the internet
> if source 10.0.0.0/16 and dest anything but 10.1.0.0/16 accept
> if source 10.1.0.0/16 and dest anything but 10.0.0.0/16 accept
> if source ! 10.0.0.0/8 and dest 10.0.0.0/8 accept (internet packets coming
> back to either private lan)
>
> #forward between dmz and lan
> if source 10.0.0.0/16 and dest 10.1.0.0/16 accept
> if source 10.1.0.0/16 and dest 10.0.0.0/16 accept
>
> portfw external_ip port 80 to 10.1.0.5:80 (dmz webserver)
>
> Rules number 1,2 and 3,4 are kind of redundant. However, it's laid out like
> this so you can tighten the control, rather than just accepting everything.
> For instance, you may say:
> if source LAN to internet (ie ! 10.0.0.0/8) accept
> if source LAN to DMZ port 80 accept
> Deny everything else from LAN to DMZ
>
> You'll also need corresponding reverse rules, such as:
> if source DMZ:80 to LAN 1024:65535 accept
>
> For clarification here, 10.0.0.0/8 will match either 10.0.0.0/16 and
> 10.1.0.0/16. So you can define a variable privateIP="10.0.0.0/8" and use
> this to compare:
> if source ! $privateIP to $privateIP (this means if from internet to either
> DMZ or internal lan)
>
> Hope this helps,
> Cory
>
> On Fri, Mar 23, 2001 at 06:47:39AM -0500, tom wrote:
> > I'm trying to build a firewall with one card open to a DMZ.
> >
> > But I'm unclear on how exactly to do this.
> >
> > Do I start by forewarding all incoming requests on port 80 to my
> > internal DMZ machine and then masq all outgoing traffic (as I do
> > with all the networks)?
> >
> > Is that how it works?
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
