Greetings,
It would appear that in an effort to keep my question simple, I may have
over-simplified it. I received a few replies stating that there should be
a firewall between the internal and perimeter networks, and that
masquerading alone was not enough.
What we have is external and internal firewalls. Obviously the internal
firewall links the internal network to the perimeter, and likewise with the
external firewall and the Internet. All traffic to and from the Internet
is masqueraded as we only have a single Internet IP address. Incoming
Internet connections are "port forwarded" to the proper hosts on the
perimeter (e.g. the web server.)
All internal traffic to the perimeter is restricted to the respective
hosts. For example; all "port 80" traffic is rejected except for that
which is bound for the web proxy server on the perimeter.
My question then should read:
If the perimeter address of the proxy server is 192.168.253.2 and the
internal address of the firewall is 192.168.1.1 which IP address should
internal clients use for service?
Should the client 192.168.1.2 use 192.168.253.2 directly or 192.168.1.1 and
be "port forwarded" to the perimeter proxy server. The later seems to
"hide" the hosts on the perimeter, however, it also seems that it will hide
where the connections are coming from as well.
Any thoughts?
- Bennett
At 07:57 PM 1/23/00 -0500, Bennett Samowich manipulated the electrons to say:
... snip ...
>Should hosts on an internal network have direct access to hosts on a DMZ,
>or should they be masqueraded?
... snip ...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
