Forward to DMZ addresses

Grant Taylor gtaylor at
Sun Aug 21 00:19:38 CEST 2005

> I guess "exactly" = a setup similar to what I've seen commercial firewall
> products do, e.g. Sonicwall or Watchguard Firefox.  They have 3 NICS on
> the back, 1. connected to the T1 router, 2. connected to the LAN switch,
> 3. connected to the DMZ switch.  and rules are managed from the Sonicwall
> box itself... who knows what they're doing in the background... when we
> setup DMZ boxen, we connect them to the DMZ switch, assign them static
> addresses from our IP pool, create a rule allowing access, and off we go. 
> When shopping around for firewall products, I've also noticed that some
> specs say 3 NICS for DMZ/WAN/LAN connections sometimes more NICS (don't
> know why).  I'm trying to mimic this...  perhaps they have some heavy
> routing rules in the back, something that would I need to learn...

I have never used any of these ""commercial products as I have always been able to get Linux to do what I wanted it to do.  That or I have changed what I want to so that it fits with in what Linux can do, though I don't think this is very likely.

> It's funny that you've just described exactly what I want to do...

Hmm, maybe bridging is exactly what you want to do then and you just are not aware of it.

> I currently have 3 nics, one connected to the DMZ switch, one connected to
> the LAN switch, and the third to the T1 router (via the VLAN switch which
> I plan to remove in September)

If you want these three physical networks to have the same (logical) subnet then you will not be able to connect them via routing with out doing some much more complex routing via DNAT/SNATing on a couple of different routers connected to them.  Sure you could use UML routers and do all of this with one box the this gets EXTREMELY complex for little gain.

>>act like two completely independent routers that
>>know nothing about the other unless your traffic comes in or goes a
>>specific pair of interfaces.
> Yes!

Ok, this seems a bit silly to me but if this is the way that you want to go I'll be glad to help you.  The question that I do ask you is do you want a fourth physical interface or could it be a logical interface on the network?  If it could be a logical interface that is connected to the other interfaces via a bridge then that may be a bit better.  But this is up for discussion.

> all in all, all the information you've provided to me now makes sense...
> and it gives me a very good starting point for more Googling...

*nod*  Information is a good thing.

Grant. . . .

More information about the netfilter mailing list