<quote who="red"> > All, > This may have come up a billion times in the past > but, I am setting up a FW and I have some basic questions: > > Setup 1:(idea at least) > > Public ip 64.1.1.x > DMZ HOST (ports80,993,143,53) > upstream 64.1.1. / > (internet)---DSLmodem----(64.x)FW(2.x)--HUB/ > \ 1.1.1.0/24 > \Linksys(Wireless router) > \ \ > \ \ > workstation, workstation > > > I have 5 static ips > Im using a p400 with two nics (deb woody) > > Goals: > I want to do Packet Filtering and logging for the DMZ and the > workstations: > > Questions: > 1) Do I need three Nics on the Firewall , one for the DMZ? > 2) In the drawing above I am running DHCP on the LAN with the Linksys > Wireless router. Should I run DHCP on the LAN interface on the FW > instead? What would be the benefits/drawbacks? > 3) If the WAN interface in the router is a 64.1.1.x and the LAN > interface is a 2.x.x.x/24 will i be able to route the 1.1.1.x/24 and > DMZ host through the FW? > 4) I want to use Iptables because I heard they are more advanced than > ipchains is this true? > 5) I am somewhat familiar with the command line IPtables commands, but > was curious at to what other (non gui) tools I could use to write > rules.? > > > > Thanks > In advance > -red > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
I proceed to answer your questions according to what I've done in the past. Some people may or may not disagree. 1) I would set another nic to connect only to the dmz, so yes to the three nics, this is the most secure way possible.2) I would run the dhcp in the lan. Why? IMHO the dhcp works only in the lan and for the lan, so I dont see it necessary to run it in the firewall.3) Yes you can, thanks to iptables using port forwarding for incoming, nat for outgoing, etc.4) Yes, Iptables are more advanced. Ipchains was thought for kernel 2.2.x and in a near future people wont keep developing them. iptables is the for kernel 2.4.x and correct me if I am wrong for kernel 2.6.x allowing many more options, and the capabilities of iptables are increasing rapidly. Check netfilter.samba.org for details about this, I may not be giving you the best explanation.5) Iptables is the program to generate rules or chains for your firewall, there are other console and gui programs that can help you generate them. If you want a quick fast firewall search for them (freshmeat.net, google) though If you want to become adept I would suggest you go to netfilter.samba .org and start studying some of the docs there, they are great and its good somebody dedicated his time to make them. There are some easy examples there. Also I have some examples in my web page www.debian-gnu.com sections - configurations. Well, I wish you luck in this matter. In my case I have more or less same network topology as you plan to make so if you have further questions I may be able to help. -daniel http://www.debian-gnu.com
