Forward to DMZ addresses

Jonathan Villa jonathan at
Mon Aug 22 16:25:47 CEST 2005

>> I guess "exactly" = a setup similar to what I've seen commercial
>> firewall
>> products do, e.g. Sonicwall or Watchguard Firefox.  They have 3 NICS on
>> the back, 1. connected to the T1 router, 2. connected to the LAN switch,
>> 3. connected to the DMZ switch.  and rules are managed from the
>> Sonicwall
>> box itself... who knows what they're doing in the background... when we
>> setup DMZ boxen, we connect them to the DMZ switch, assign them static
>> addresses from our IP pool, create a rule allowing access, and off we
>> go.
>> When shopping around for firewall products, I've also noticed that some
>> specs say 3 NICS for DMZ/WAN/LAN connections sometimes more NICS (don't
>> know why).  I'm trying to mimic this...  perhaps they have some heavy
>> routing rules in the back, something that would I need to learn...
> I have never used any of these ""commercial products as I have always been
> able to get Linux to do what I wanted it to do.  That or I have changed
> what I want to so that it fits with in what Linux can do, though I don't
> think this is very likely.
>> It's funny that you've just described exactly what I want to do...
> Hmm, maybe bridging is exactly what you want to do then and you just are
> not aware of it.

Perhaps. I'm going to start looking into this.

>> I currently have 3 nics, one connected to the DMZ switch, one connected
>> to
>> the LAN switch, and the third to the T1 router (via the VLAN switch
>> which
>> I plan to remove in September)
> If you want these three physical networks to have the same (logical)
> subnet then you will not be able to connect them via routing with out
> doing some much more complex routing via DNAT/SNATing on a couple of
> different routers connected to them.  Sure you could use UML routers and
> do all of this with one box the this gets EXTREMELY complex for little
> gain.
>>>act like two completely independent routers that
>>>know nothing about the other unless your traffic comes in or goes a
>>>specific pair of interfaces.
>> Yes!
> Ok, this seems a bit silly to me but if this is the way that you want to
> go I'll be glad to help you.

That would be great!

>The question that I do ask you is do you
> want a fourth physical interface or could it be a logical interface on the
> network?  If it could be a logical interface that is connected to the
> other interfaces via a bridge then that may be a bit better.  But this is
> up for discussion.

I have one PCI slot left, it's currently being used by a SCSI card which
I'm not using.  I can replace it with a NIC.  I currently have 2 built-in
NICS plus one in the first PCI slot.  I logical interface is fine also. 
It saves me from having to take the machine off of the rack.

>> all in all, all the information you've provided to me now makes sense...
>> and it gives me a very good starting point for more Googling...
> *nod*  Information is a good thing.
 I know I will definitely need some help, but before I ask for, I'll need
to do some reading up on bridging so at least I understand any examples
given to me (starting with the previous one you gave).

More information about the netfilter mailing list