Hi! On 7/1/2012 6:20 AM, Simon Hobson wrote: > First off, do you NEED some of your servers on public IPs to be in > your internal network instead of the DMZ ?
Yes... Not doing it would only be a temporary solution that I would like to replace with what I described as soon as I could... Is the problem the way the subnet traffic is routed to me or that I want to map those IP to more than one subnet? I know we had/have servers mapped like that at work so there must be a way to do it... (OK the firewall we had/have at work were/are not Shorewall but I would be very surprised if it was able to do something Shorewall could not...) > If you do, can these be dual homed ? Dual homing them as in putting two NIC cards in them and put them on both the DMZ and internal network? Doesn't that somehow defeat the purpose of having the two subnets? > Probably the easiest setup would be to have your DMZ using the public > subnet, and then route between WAN and DMZ (no NAT involved). > Obviously your firewall will use up one of your public addresses. There would be NAT involved for all the PCs on the internal network though, right? > For any devices you need to have present on the internal network, > then dual home them - ie add a second NIC and connect that to your > internal network. OK, looks like I had correctly understood what you said above... > > When you configure NAT, you can specify which public address is used > to substitute for your internal IPs. The default (IIRC) would be to > use the primary Ip of the interface specified, but it can (I think) > be any IP on the machine. OK... > I use Debian for most of my machines. It's easy to install a fairly > bare machine - if you make sure all the common software collections > are unselected during a basic install, you get very little (even > leaving out SSH !). Thank you! Have a nice day! Nick ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
