It just so happens I've got a lot of relevant Check Point experience here
:-)
First thing you should do is think about your goals -- SOHO use
and large-scale corporate use present different needs. The DMZ is a
lare-scale corporate item (e.g. I'm getting paid so I might as well spend
as much time as it takes to get this figured out).
The typical corporate firewall looks like this:
x.x.x.x
|
firewall - 192.168.x.x dmz
|
172.x.x.x
The firewall is a stateful inspection engine with no support for proxy
arp, so one to one NATs are done for each DMZ server and a one to many NAT
is done for the inside network. Brand names don't matter -- this is what
Check Point, Cisco, Gauntlet, &c will implement.
For home use I don't see a lot of use for a DMZ. However, if you must have
one proxy arp should be avoided unless you don't have enough IP addresses
to do what you want to do.
HTH,
--
Jack Coates
Monkeynoodle: It's what's for dinner!
On Fri, 29 Dec 2000, David Douthitt wrote:
> I'm starting to lose my mind............... :-)
>
> I'm trying to develop a simple firewall tool which at its core relies
> on shell functions rather than shell variables and specially-
> formatted configuration files. Trouble is, my head is starting to
> HURT with all these different possibilities. Here is some rambling
> problems and "hurts" and "what do I do NOW???" things:
>
> * DMZ - what connectivity do you give to it? What do you allow to
> the protected net? What do you allow to the unprotected net? Would
> it be easier to proxy-arp the DMZ to the outside world?
>
> * Protected net: what about limiting internal users access to outside?
>
> * Internal firewall: what if the "external" unprotected net is
> actually an internal network behind a firewall? Now you have private
> IPs on BOTH sides of the firewall....
>
> * Masquerading... what about masquerading in BOTH directions? Or
> just one?
>
> * Servers on the firewall: this isn't as odd as it sounds. The first
> is ssh.
>
> * Servers in the unprotected net....!
>
> The BIG question: how do you ACCOUNT for all these?
>
> In particular, I'm implementing Oxygen as a firewall for an internal
> private network, so this really IS relevant. I also want to set it
> up at home, sooner or later, if I can get the modem and then PPP to
> work. I don't trust serial communications - it almost certainly
> never works the first time.
>
> Regarding firewalls, consider these problems/examples:
>
> * Internal firewall inside: now you can't reject all private IPs from
> the unprotected net.... since it also uses private IPs.
>
> * Masquerading: on a standard Internet firewall, you would masquerade
> the internal network - but what about a firewall INSIDE a
> firewall....?
>
> Another thing - which HURTS:
>
> * When I define a TCP transmission path, the two directions are
> defined in separate chains/rules whatever; you can't define a rule
> which says: "allow an outbound TCP connection on this port" - this is
> actually TWO steps - outgoing, and incoming.
>
> All this is starting to make my head explode - does anyone have any
> ideas? I know this is vague - I'm keep banging my head into things
> and I'm getting lost in the forest :-)
>
> I have the Building Internet Firewalls book - and I found it
> interesting that they don't seem to have a description of firewall
> rules for a DMZ. I also found that there isn't very much description
> of a DMZ out there - even those places that talk about it probably
> refer to a perimeter network instead.
>
> Anybody got an aspirin?
>
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
