Hi! Sorry for the delayed reply...
Simon Hobson wrote: > Well it's possible they used private addressing in the DMZ (it's not > an uncommon thing to do) and port-forward traffic as required. That Yep the configuration I am most familiar with (I know it changed somewhat recently and I don't have all the details) used private addressing. (It still does actually of that I am sure..) > way you can direct any public Ip to any host in any subnet - but you > still get all the issues relating to using NAT. Is that doable with Shorewall in my situation (the subnet traffic is sent to an IP which is not in that subnet and I am using PPPoE? > Also, at work you may well be using split-horizon DNS, or just using They were not (and as far as I know still are not) using split-horizon DNS. I was for many years their sole DNS administrator and while I would have loved to set that up they didn't want to get into that at the time... > different names from the inside, or have the firewall set up to allow > redirection of traffic from internal addresses to the external > addresses handled properly (Shorewall can do this, see : > http://shorewall.net/FAQ.htm#DNS-DNAT I could live with having different names or setting up a split-horizon DNS... >> > If you do, can these be dual homed ? >> >> Dual homing them as in putting two NIC cards in them and put them on >> both the DMZ and internal network? Doesn't that somehow defeat the >> purpose of having the two subnets? > > In part - yes it defeats the security issue in that if someone gains > access to one of the dual homed servers then they also get access to > your internal network. But that only applies to the dual homed ones. I'm somewhat careful in what I let access my internal network... Back when my previous Shorewall based firewall was still working I had a modified its config to add another interface for wireless and the it had no access to my internal network, the only thing you could do is access the Internet (I'm not sure if I had added DMZ access). > But it's a fact of life that security and operational requirements > sometimes conflict. In extreme, you could argue that the only way to > be completely secure would be to unplug all the network cables from > all the devices - though that would somewhat interfere with > operational needs ! LOL... Thank you! Nick ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
