Hello, Jacob
I�m new to this list and as I was looking at the configuration below I
noticed that your External and DMZ address ore on the same Class B Subnet.
That may be a big part of your problem you might want to try subnetting them
down a bit as I wouldn't think you need all those address for a firewall. I
agree with Amit Kaushal in that you should use a non routable IP address in
the DMZ as well as your internal (Trusted) Zone and then use NAT to the
external (UN-trusted) Zone. Depending on the firewall your configuration
will very for passing your customers traffic through to your web server. Is
the webserver in the DMZ a Caching server or your primary web server? (You
may want tunnel outgoing only to update your Caching Server)
Vern Waltman
Information Security Engineer
Beta Analytics International
(703) 706-1786
[EMAIL PROTECTED]
Security is not somebody else's responsibility! It's yours!
On Mon, 10 Jul 2000 22:54:21 -0700 (PDT), Sameer Anja wrote:
Hi Jacob-
What you could also do is:
put the webserver outside the firewall.
Allow only HTTP and SSH services.
Connect for updation from your internal servers using
a rsync/ssh combination.
Put the firewall between the corporate LAN and the
webserver.
I am assuming here that the webserver does not have
your Company Internal Data.
If it does have, then I would just build an extranet.
Put the webserver inside the firewall and have NAT as
Amit said. This can be implemented smoothly.
But, I guess since you want to allow public access,
the above route of putting your webserver outside
would be a better option.
-Sameer
--- Amit Kaushal <[EMAIL PROTECTED]> wrote:
>
> I would suggest to use a seperate & illegal IP
> address scheme for the
> DMZ, do not the same IP addreses as for the
> external interface and the
> DMZ addresses. then use static NAT for two way
> HTTP flow from the DMZ.
> this can be a bit tricky, but not real tough.
> Amit Kaushal
>
>
> ______________________________ Reply Separator
> _________________________________
> Subject: DMZ and IP
> Author: [EMAIL PROTECTED] at Internet-USA
> Date: 7/9/2000 6:17 PM
>
>
> Hi everybody
>
> I have a problem with a firewall that I been trying
> to set up.
> The case is that I need to set up a firewall between
> the coorporate LAN and
> the internet and allow public access to a web
> server. So I thought (after
> having read a lot of posts about DMZ) this is a
> classic DMZ scenario, but as
> I tried to implement it (using ipchains and RH6.1) I
> found that the routing
> is a bit of a problem. Here comes a scheme to make
> it clear how my setup is:
>
> The firewall has three nic's:
>
> Internal: eth0, 192.168.10.10/255.255.255.0
> DMZ: eth1, 172.24.42.200/255.255.0.0
> External: eth2, 172.24.42.100/255.255.0.0
>
> The WEB-server has ip 172.24.42.222/255.255.0.0
>
> The problem is that RH put up a route from
> 172.24.0.0 to eth1 AND eth2,
> which makes all the packets end up the wrong places.
>
> This ends with two questions:
>
> How do I remove the route?
> Is this approch good / correct? How should a
> DMZ otherwise be setup?
>
> Thanks in advance
>
>
> Jacob Kjeldahl
> Spobjergvej 42,12
> 8220 Brabrand
> tlf. 894449176
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to
> [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to
> [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail � Free email you can access from anywhere!
http://mail.yahoo.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Security is not somebody else's responsibility! It's yours!Security is not
somebody else's responsibility! It's yours!
_______________________________________________________
Say Bye to Slow Internet!
http://www.home.com/xinbox/signup.html
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
