Nicolas Riendeau wrote: > > First off, do you NEED some of your servers on public IPs to be in >> your internal network instead of the DMZ ? > >Yes... Not doing it would only be a temporary solution that I would like >to replace with what I described as soon as I could... > >Is the problem the way the subnet traffic is routed to me or that I want >to map those IP to more than one subnet? I know we had/have servers >mapped like that at work so there must be a way to do it... > >(OK the firewall we had/have at work were/are not Shorewall but I would >be very surprised if it was able to do something Shorewall could not...)
Well it's possible they used private addressing in the DMZ (it's not an uncommon thing to do) and port-forward traffic as required. That way you can direct any public Ip to any host in any subnet - but you still get all the issues relating to using NAT. Also, at work you may well be using split-horizon DNS, or just using different names from the inside, or have the firewall set up to allow redirection of traffic from internal addresses to the external addresses handled properly (Shorewall can do this, see : http://shorewall.net/FAQ.htm#DNS-DNAT > > If you do, can these be dual homed ? > >Dual homing them as in putting two NIC cards in them and put them on >both the DMZ and internal network? Doesn't that somehow defeat the >purpose of having the two subnets? In part - yes it defeats the security issue in that if someone gains access to one of the dual homed servers then they also get access to your internal network. But that only applies to the dual homed ones. But it's a fact of life that security and operational requirements sometimes conflict. In extreme, you could argue that the only way to be completely secure would be to unplug all the network cables from all the devices - though that would somewhat interfere with operational needs ! With so much that relies on broadcasts to find things, it can sometimes be a pain (though seldom too difficult) to get things working. > > Probably the easiest setup would be to have your DMZ using the public >> subnet, and then route between WAN and DMZ (no NAT involved). >> Obviously your firewall will use up one of your public addresses. > >There would be NAT involved for all the PCs on the internal network >though, right? Yes, just not for the DMZ. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
