Re: bridge segment LAN/DMZ

Fri, 20 May 2005 21:34:16 -0700 

On May 20, 2005, at 6:38 PM, Antoine Jacoutot wrote:


Jason Dixon a icrit :
What do you mean by "separate"? If you're using a bridge, that suggests you're *bridging* them together. Routing denotes some level os separation. The purpose of a DMZ is to isolate hostile traffic. If you're going to bridge this traffic with your LAN, you don't really have a DMZ. 

Allright, I'll try to make myself more clear :)

Let's assume that for now, I only have one LAN nated behind an OpenBSD  
firewall. Some servers on the LAN are accessible from the Internet  
thanks to port forwarding.
Now, I would like to put those servers in another network segment so  
that I could filter what's coming from the Internet (since they will  
be behind the firewall, just like they are now) and in the meanwhile,  
I could also filter traffic from/to this new segment (which I  
uncorrectly called DMZ) from/to the LAN, without changing their  
original private IPs. So, the firewall would have an external IP and 2  
internal IP-less NICs.
Does this make more sense ? I hope so, I'm trying my best English here  
:)


You make an offline reference to an older post of mine:

http://groups.google.fr/group/bit.listserv.openbsd-pf/browse_thread/ 
thread/7bb34e55a427335f/e19f13527f090b56? 
q=filtering+bridge+lan+dmz&rnum=44&hl=fr#e19f13527f090b56



Yes, this sounds similar to what you want to do.  So basically, you  
want to bridge $ext_if with $dmz_if, and NAT $lan_if:network to  
($ext_if).  The NAT will happen first, then the outbound packet should  
"see" the DMZ server announcing itself via the arp "proxy".  It sounds  
possible, although the filtering is bound to be tricky at best.



Rather, I would suggest adding a 4th interface on the WAN.  Assign your  
NAT external address to the first and use it for NAT traffic with the  
LAN.  The next WAN interface would be brought up without an IP and  
added to bridge0 with the DMZ interface.  This way, you can properly  
isolate your filtering rules between interfaces without worrying about  
any sort of overlap.  Filtering bridges can be difficult without adding  
this sort of complexity.  If you insist on the 3-leg approach, take it  
one step at a time and firewalk everything to make sure your rules are  
behaving appropriately.


HTH.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net























					Reply via email to