[NCLUG] Firewall confusion

listz at hate.cx listz at hate.cx
Thu Mar 13 10:40:02 MST 2003


a dmz is basically what you want it to be, at least thats what i've gotten from
my current job, heh. if you don't put public IP's on the servers then you'll
have to setup some 1-to-1 NAT'int which probably isn't desireable. The way I'd
set it up would be:

------      --------------------------
| FW |------| Public addressable DMZ |
------      --------------------------
  |
  |
  |
--------------------
| NAT internal net |
--------------------

sorry about the bad ascii drawing, but assuming you used a fixed width font you
get the idea ;)

your webserver is going to need to talk to the internal DB, thats a given
appartently. if you setup a rule to _only_ allow the webserver to communicate
(in an encrypted channel if you have the inclination) to the DB server then it
certainly doesn't defeat the purpose. can joe scriptkiddie connect to yer DB
server anymore? no. of course you need to make sure the windoze webserver is
patched so it can't be used to access your DB in a way you hadn't intended,
which can be a pretty full-time job.

i hope this helps although i think the scope of the conversation may be a bit
outside a LUG mailing lists interests.

on Thu Mar 13 10:22, Chris Funk disclosed: 
> Hi All,
> 
> Couple of questions for you all.  The last couple days I have been setting
> up a new linux firewall/router to replace our existing router which only
> does some basic filtering.  The more I read the more I get confused.  My
> confusion is about DMZ's.  I have 3 machines currently which have public
> ip's.  One of the machines is an NT 4.0 box which needs to connect to the
> local private net (for the db server) currently I have 2 nics in it.  One
> with the public IP and the other with a private.
> Do the 3 machines going into the DMZ keep their public Ip's or should I
> assign them privates on a different subnet than my local net.  I have read
> not to assign private ip's to DMZ machines and also that it is Ok.
> 
> 2nd question.  If I have to setup a rule that allows the DMZ webserver to
> talk to the internal db server isn't that kinda defeating the purpose?  Like
> I said, i'm confused . :-)
> 
> Thanks
> Chris
> 
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug

<EOF>
::[ RFC 2795 ]::
 "Democracy means simply the bludgeoning of the
 people by the people for the people."
 -Oscar Wilde
statik at hate.cx / security engineer \ "My God, it's full of stars..."
PGP fingerprint: D656 01EB 79FC 9285 F110  2AB1 D8BC B3BA BEA2 E0C5




More information about the NCLUG mailing list