Hi all,
running Dachstein 102CD using extended firewall scripts.
Am now planning on moving a very hardened Exchange box from the internal network to the DMZ. It has a web interface.
What I need to ensure is the following: 1) clients from internal network can access their mailboxes on the Exchange box in the DMZ. 2) allow external clients to access web interface of the Exchange box from Internet.
I've set the DMZ type to PRIVATE and assigned a different private network number (192.168.2.x) to it.
############################################################################ ### # DMZ setup (optional) ############################################################################ ### # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) DMZ_SWITCH=PRIVATE DMZ_IF="eth2" DMZ_NET=192.168.2.0/24
Set up port forwarding as follows:
# PRIVATE DMZ switches ############################################################################ ### # Services port-forwarded to the DMZ network # Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]" DMZ_SERVER0="tcp $EXTERN_IP smtp 192.168.2.4 smtp" DMZ_SERVER1="tcp $EXTERN_IP 8080 192.168.2.15 www" DMZ_SERVER2="tcp $EXTERN_IP 8000 192.168.2.4 www" DMZ_SERVER3="tcp $EXTERN_IP www 192.168.2.2 www" DMZ_SERVER3="tcp $EXTERN_IP 443 192.168.2.2 443"
Before I move the Exchange box, I decided to test the existing NETWORK.CONF file by placing a laptop in the DMZ and assigning 192.168.2.4 to it. I can ping it from the internal network but I am finding that I cannot ping 192.168.1.1 or anything in the 192.168.1.1/24 network from 192.168.2.4. Is that normal behavior?
Yes. The internal network is masqueraded to the DMZ, just as it is masqueraded to the internet. The whole point of the DMZ network is to create a network that's basically as untrusted as the internet, but still behind the firewall, allowing you to (fairly) safely run public servers with limited exposure to the raw 'net, and an additional layer of security between the public systems and your internal network, in case the public box(s) get hacked.
Would Outlook clients in the internal network be able to access the Exchange
box inside the DMZ in the normal manner as if it was inside the internal
network?
Not exactly the same manner...the internal hosts are masqueraded, so they will all look like they have the DMZ interface IP of your firewall box. Obviously masquerading breaks some protocols, but not others...I have no idea about any special exchange protocols, but normal pop and imap connections would work fine.
Does hosts in the DMZ have access to the private DNS records that
are available to the internal network hosts?
DMZ machines have *NO* access to internal network resources, unless you expressly allow inbound connections via port-forwarding. Typically, this is a bad idea for security, and if possible you should architect your network to "flip" the required connection direction (ie your internal boxes connect to DMZ systems, not the other way around).
Do I need to establish DNS records on the public dns server for any of the hosts in the DMZ in order for the internal network hosts to be able to reach DMZ hosts?
You will need to provide IP resolution for the DMZ boxes somewhere, or everyone will have to type IP addresses. You can do this in any of the normal places, but would typically want to create DNS entries somewhere.
You can use the public IP for publically visible port-forwarded services (ie web in your case), but you'll have to use the private IP for services you're not port-forwarding from the firewall's public port (ie imap, pop, custom exchange protcol, or whatever).
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
