I'm using Dachstein CD 1.02 which works well in its present state. I would like to add a DMZ using a second ethernet card. I see in the network.conf file there are various types of DMZ- YES, PROXY, NAT, PRIVATE, and NO. I do not know what a PROXY DMZ does nor do I know the purpose of a private DMZ. Could someone explain what these are and under what conditions these may be used.
The type of DMZ used mainly depends on how your IP has allocated your IP number(s)/range.
DMZ=YES
This is a "real" DMZ...your ISP gives you a point-point link for your router/firewall, and routes a block of IP's to the upstream IP of your router. If you're really in the big-leagues, you have your own class-C block and get your ISP(s) to advertise your routes to the backbones.
DMZ=PROXY
DMZ=NAT
DMZ=PRIVATE
These are all setup to move public IP's that would normally appear on your firewall/router to DMZ system(s) behind the firewall. Typically one of these settings is used for cable-modem/xDSL connections where you spend a bit extra and get small number of static IP's.
DMZ=PROXY
This setting uses proxy-arp to seperate your DMZ systems from the "raw" upstream connection. The main benifit to using proxy-arp is your DMZ systems can have REAL PUBLIC IP's. The main drawback is it's kind of complex to get the networking and firewall rules setup correctly, but that's now pretty easy since I folded support into the main Dachstein scripts for this sort of setup.
DMZ=NAT
This setting uses static-NAT to translate public IP's on your firewall to private-IPs used on your DMZ. The biggest drawback to this setup is the fact that your DMZ systems do *NOT* run with their real public IP, which can confuse various protocols that embedd IP information in the data portion of the packets. This is just like the masquerading used for the internal systems, except there is a fixed, 1:1 relationship between a private IP on the DMZ network and a public IP on the upstream side of the firewall.
DMZ=PRIVATE
This is the least powerful DMZ flavor. The firewall uses port-forwarding to send specific inbound traffic to system(s) on the DMZ. This is also the only form of DMZ that can be setup if you only have one public IP from your ISP (all other flavors above require multiple public IP's from your ISP).
Since I am using Dachstein here at home and also at work, there are two scenarios that I am contemplating using the DMZes. At home, I wish to add a video-conferencing solution which requires it be placed in a DMZ. Failing that DMZ requirement, it needs to have inbound ports turned on:
Port 1720 (TCP) Ports 15328-15333 (TCP & UDP)
and outbound ports turned on:
Ports 1024-65535 (TCP & UDP) Port 389 (LDAP) Port 80 (HTTP)
What is the optimal solution for this scenario?
The second scenario (at work) calls for a web server, a virus mail scanner, and a http proxy (squid) to be located in the DMZ. Which type of DMZ should be used for this? I would think a PRIVATE DMZ would be used but again I am not familiar with the various types of DMZes.
I look forward to a positive reply.
I suggest using proxy-arp DMZ's if at all possible on both ends (assuming you have multiple IP's you can allocate to DMZ systems).
Note there are a few tricks to setting up a proxy-arp DMZ (mainly in how you setup routing, and an understanding of the arp protocol and arp cache timeouts), so don't be afraid to ask for help with the config file details if you decide to setup this sort of DMZ.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
