Hi,
The original questioners IP scheme is clearly confused as you say but it's
not really necessary to use real IP's on the DMZ. Commonly the FW-1 world
does this due to historic schemes but it's not neccessary with Linux. With
both ipfwadm and ipchains the applicaiton of NAT is separate to the
application of filter rules. So as long as the protocol is not doing
bizare dynamic port alterations OR it is ipsec you can use NAT on the DMZ.
Of course another option if you have a small IP range is to proxy the
contact on the DMZ, for example reverese proxying web with squid.
Cheers,
Steve
At 08:15 PM 5/3/00 -0400, Victor E. Arroyo wrote:
>Well Bill,
>
> First you would have to change your subnetting scheme. The one you have
>and the way you addressed the ports(ethernet cards) is confusing. The way
>you have it set up the tcp/ip protocols would never get to the other
>interface cause you are telling them that the rest of the network is on
>that wire or out of that interface. so the two interfaces think they have
>the complete network on the end of each interface.
>
>
>As for providing a private IP address for the DMZ Zone. I always thought
>this zone should have real IP Addresses. Since the Firewall would do
>restricting for the DMZ. While doing NAT and restricting for the Internal
>network. I may be wrong and if I am I would like to know the right way of
>doing this.
>
>Thanks,
>
>Vic
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Amit Kaushal
>Sent: Wednesday, May 03, 2000 5:45 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: [security:01059] Re: IPCHAINS on Red Hat 6.2
>
>
>
> As far as i understand. you only need one legal ip and that is for
> your eth0. you should use illegal ips for the dmz and the internal
> network. then you will have to create a static route to the web
>server
> which is in the DMZ, since the external world only responds to eth0.
>i
> have done this with Checkpoint FW-1. IP chains may have a different
> implementation.
>
> Amit Kaushal
>
> Deloitte & Touche LLP
>
>
>______________________________ Reply Separator
>_________________________________
>Subject: IPCHAINS on Red Hat 6.2
>Author: [EMAIL PROTECTED] at Internet-USA
>Date: 5/3/2000 3:02 PM
>
>
>I am attempting to configure a firewall machine using Red Hat Linux 6.2
>ipchains. I am using the 3-NIC model with eth0 going to the Internet, eth1
>going to the DMZ and eth2 to the protected network.
>
>Currently my network IP address is xxx.xxx.xxx.128 with a subnet mask of
>255.255.255.192. I assign the address of eth0 to be xxx.xxx.xxx.130 and
>eth1 to be xxx.xxx.xxx.131.
>
>I assign the www server in the DMZ an IP of xxx.xxx.xxx.132 set the
>gateway
>to xxx.xxx.xxx.131 and it cannot ping to any machine other than itself.
>
>The IPCHAINS rules on the firewall are all set to the default of ACCEPT.
>
>If I set the IP of eth1 to 10.0.0.1 and www machine to 10.0.0.2 and put
>the
>correct ipchains rules to forward and masq there is no trouble and I can
>ping/access internal and external hosts.
>
>Shouldn't I be using the my "real" IP addresses in the DMZ machines?
>
>Am I creating a routing problem when I use the same address space for eth0
>and eth1?
>
>Any help is greatly appreciated.
>
>Bill
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>Attachment Converted: "c:\Eudora\Attach\smime.p7s"
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
