This is probably over my head.
From my reading about a "DMZ", that would require using a 3rd NIC on
the host machine, right? I have a mobo NIC that I'm not using
presently and could assign it an address of say, 10.10.0.1 (the LAN
is 10.0.0.1)
Presently, everything that is running on the host machine is basically
attached to the 10.0.0.1 IP address in some way or another. For a
short time I experimented with tinydns and ran it on the 127.0.0.1 IP
on the host, but I don't use local dns hosting.
So, if I'm understanding you the proper way to do this would be like so:
_________ LAN (10.0.0.1) - all the
processes needed (dhcp, resolver), various Windows machines...
/
WAN (internet)/
\
\__________DMZ (10.10.0.1) - email server,
spamdyke, separate resolving cache
Do I have this right? Then I'd punch a hole through the firewall
between 10.0.0.1 and 10.10.0.1 so I could do my email via the LAN?
On 9/3/2012 11:00 AM, [email protected] wrote:
> Here's the thing. Your mail server should be on the DMZ subnet (I'm not
> sure of PF's terminology). That subnet has no access to dhcp or
> resolvers, for security reasons. I suppose you could punch a pinhole for
> DNS requests, but that sort of defeats the purpose. Since all hosts in
> the DMZ should use a resolver/recursor which is not on the (trusted)
> LAN, they can a) use their own, b) use a common one on the DMZ subnet
> (but preferably*not* an authoritative DNS host), or c) use one provided
> by an ISP or other service (OpenDNS and Google provide several free
> ones). The options are in order of efficiency, and probably preference
> as well for most cases.
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
