At 07:44 PM 7/9/2004 +0000, [EMAIL PROTECTED] wrote:
Ray, I did mean 192.168.1.254, oops.
What I thought I would do is this:
Connect cable modem to eth0 of firewall Where all five static ips run throught this line.
This is fine. The docs should explain how to do this with no trouble.
Then from firewall eth1 have wire connected to the uplink port on my Lynsis wireless router (with built in 4 port switch). From the Linksys I would set up my home network for file/print/internet sharing where I would connect all my personal computers.(LAN) I guess this would run double NAT in this configuration. Should I change the 192.168.1.XXX network addresses on the Linksys router so they are different from the LEAF Firewall? Maybe something like 127.0.0.0?
This would work (except for the 127.0.0.0 part), but it is overkill. Since the LAN is now on a separate interface, it doesn't need the Linksys (unless you need it just as for its switch, and small switches are dirt cheap these days, at least here in the USA).
If you choose the Linksys double-NAT method, you do need the Linksys to have a network different from the LEAF router's (unless the Linksys knows how to proxy arp, which I doubt). The customary change would be in the third byte; that is, use network 192.168.c.0/24, where c !=1.
127.0.0.0/8 is reserved for localhost, so you shouldn't touch it for any other use. The customary ranges for NATing -- the only ones anybody should use, really -- are the non-routable address blocks:
192.168.0.0/16
172.16.0.0/20
10.0.0.0/8Then on eth2 I would run DMZ via a crossover cable to my Web Server.
Then on eth3 I would run DMZ via a crossover cable to my Media Server.
My two servers are actually one machine (a xeon cpu with 2 onboard nic's)
I'm not sure what you gain by using both eth2 and eth3 here. Since they both go to one host, there is nothing to be gained by protecting the Web Server from the Media Server. You could connect both NICs to the router via a switch.
One thing to watch for in the setup you've described is speed problems. I've run into 10/100 NICs that fail to autodetect 100 Mbps status when connected with a crossover cable, so end up dropping back to 10 Mbps even if both are 100 Mbps capable. Of course, Internet conenctions are typically slow enough that this would have no practical effect on offsite uses, but it could affect LAN access speeds.
I am running MS Server 2003 Enterprise Edition. I assign one nic for IIS and one for Windows Media Server. I have one public IP for each nic so that they can both have a port 80. I found that a lot people trying to see my video, couldn't, because their firewall rules blocked transmissions that weren't originated on port 80. MS Server 2003 Enterprise Editionhas port blocking at the nic level so i have it set to block everything except port 80. Do you think LEAF will add some protection to my setup or not?
I'm not a Windows expert, so any opinions I offer about Windows should be taken with a rain of salt. That said, the frequency with which MS has to issue security patches leaves me skeptical of assurances that any Windows host has been locked down to the point of safety. In other contexts, I've recommended that no Windows-OS PC ever be connected directly to the Internet ... that even home users with a single machine put, at the least, a Linksys/Netgear/D-Link/etc. home router/firewall in between. In that spirit, I would see a LEAF router, with eth2 (and maybe eth3) set up as a DMZ, as a real improvement to your security.
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
