Re: Help the newbie set up his DMZ machine

Sat, 09 Dec 2000 06:35:08 -0800 

On Sat, Dec 09, 2000 at 12:18:51AM -0800, David Ruggiero wrote:
: Here's an ascii-art version:
: 
:    /^^\ (xDSL)  123.45.67.89 ------------------
:   /net/<-------------------->|eth1            |
:   \__/                       |    firewall    |
:                  192.168.0.1 |eth0        eth2| 192.168.10.1
:                              ------------------
:   ----------------      ___    |            |
:   |  good    eth0| <---|hub|----           \|/
:   | internal net |      ---            ------------------
:   |192.168.0.xxx |       |             |  eth0    DMZ   |
:   ----------------      \|/            | ftp/webserver  |
:                         etc.           | 123.45.67.90   |
:                                        ------------------
: 
: 
: Assume that my ISP will route all traffic for the two static external IPs 
: 123.45.67.89 and 123.45.67.90 to me. Now, the questions:
: 
: 1) Am I confused? Do I want eth2 in the firewall to have the external ".90" 
: address, and eth0 in the DMZ gets some other address (like what...?) Or is 
: this as I've diagramed it (two separate non-routable 192.168.x.y nets, web 
: server gets the second external address) the right way?

Ok, your ISP is sending you 123.45.67.90?  You'll have to publish an ARP for
that address on the external LAN.  That is, suppose the MAC of eth1 is
DE:AD:BE:EF:00:00, you'll need to "arp -s 123.45.67.90 DE:AD:BE:EF:00:00 pub".
That's on your firewall, obviously.

: 2) What are the netmasks for eth0 and eth2 in the firewall...just plain old 
: 255.255.255.0? And in the DMZ, what do I specify the gateway address as? 
: The address of the firewall's eth0, or eth2? Or both?

Your routing table should look something like:

192.168.0.0/24 -> connected via eth0
192.168.10.0/24 -> connected via eth2
123.45.67.x/Y -> connected via eth1
0.0.0.0/0 -> ip.add.of.router

: 3) What are the MINIMUM routing rules necessary in the firewall to get 
: traffic that is sourced from the internal net over to the DMZ box? (Don't 
: worry about the reverse, and don't worry about security for the DMZ for 
: now...I have to have it working at all before I can worry about protecting 
: it.:)

That FTP/Web server MUST be numbered 192.168.10.something.  You need
to do what's called "Static NAT" to translate the 123.45.67.90 address
to the 192.168.10.whatever address, and vice-versa.

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to