On Mon, 30 Apr 2001, John Wilson wrote:
>
> > > fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for
> two > > different types of NAT clients, and 90.91.92.4 for the DMZ.
> >
> > Define "2 different types of NAT clients". Your DMZ is not on a
> > seperate network of your private network? By doing that you are
> > getting rid of the whole concept of having a DMZ.
>
> Two different companies sharing the line. It's easier to use two
> different unregistered subnets for NAT clients (bandwidth accounting,
> etc.), although both are aliased to appear from the exposed interface
> (90.91.92.2)
>
> I don't see a problem with DMZ being on the same network with everyone
> else, other than that people can steal routable IPs, but then the
> firewall is configured to block all incoming traffic to 62.90.91.2
> (except for established connections), and has specific rules for each
> allowed DMZ server (allow incoming 25 for mail, 80 for http, etc.), so
> even if someone steals an extra IP, the firewall will reject them.
If someone compromises a machine on the DMZ, they have access to
your private network...sniffing..etc.
> >
> >
> > You have 2 options here.
> >
> > 1) Setup proxy arp on your outside interface. Binding the whole >
> /27 address range (with exception of the router's IP) to your BSD >
> machine. Make natd translations accordingly.
>
> > 2) Setup your DMZ using 90.91.92.16/28 IP range which gives you >
> enough IP's to play with, and leaves the 90.91.92.4/30 and >
> 90.91.92.8/29 subnet's to play with. Add the routes in the router > to
> route the subnets to your BSD machine's IP. Make natd > translations
> accordingly if you decide to run private address > space for your DMZ,
> if not no additional work needs to be done.
>
> Which option is better? How do I set up proxy arp?
I would probably run with Option 2 first. But keep in mind that
there are other options.
>
> This seems like a good solution. Please help me figure out the
> subnets/routes I need to use. So far, I have this:
>
> /---------------------\
> | router 90.91.92.1 |
> \---------------------/
> |
> |
> /---------------------\ /---------------------\
> | fxp0 90.91.92.2/30 |---| fxp1 90.91.92.?/? |
> \---------------------/ \---------------------/
> -| | |-----------
> | | |
> /-------\ /-------\ /-------\
> | NAT 1 | | NAT 2 | | DMZ |
> \-------/ \-------/ \-------/
>
> All I gotta do is fill in the missing blanks :)
fxp1= 90.91.92.17 netmask 255.255.255.240
All DMZ machines (90.91.92.18 -> 90.91.92.30) are setup with the
same netmask (255.255.255.240) and point to .17 as there gateway.
I would, however, change your physcial setup by splitting off your
DMZ onto it's own ethernet card and switch like so:
Public (Router)
|
fxp0
|
BSD --fxp2---DMZ
|
fxp1
|
Private Net
/ \
nat1 nat2
It just makes more sense security wise and makes administration a
little less difficult. It also gives you more options with
firewalling and such.
Nick Rogness <[EMAIL PROTECTED]>
- Keep on Routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
