Forward to DMZ addresses
Jonathan Villa
jonathan at innovativesource.net
Mon Aug 22 16:25:47 CEST 2005
>> I guess "exactly" = a setup similar to what I've seen commercial
>> firewall
>> products do, e.g. Sonicwall or Watchguard Firefox. They have 3 NICS on
>> the back, 1. connected to the T1 router, 2. connected to the LAN switch,
>> 3. connected to the DMZ switch. and rules are managed from the
>> Sonicwall
>> box itself... who knows what they're doing in the background... when we
>> setup DMZ boxen, we connect them to the DMZ switch, assign them static
>> addresses from our IP pool, create a rule allowing access, and off we
>> go.
>> When shopping around for firewall products, I've also noticed that some
>> specs say 3 NICS for DMZ/WAN/LAN connections sometimes more NICS (don't
>> know why). I'm trying to mimic this... perhaps they have some heavy
>> routing rules in the back, something that would I need to learn...
>
> I have never used any of these ""commercial products as I have always been
> able to get Linux to do what I wanted it to do. That or I have changed
> what I want to so that it fits with in what Linux can do, though I don't
> think this is very likely.
>
>> It's funny that you've just described exactly what I want to do...
>
> Hmm, maybe bridging is exactly what you want to do then and you just are
> not aware of it.
Perhaps. I'm going to start looking into this.
>> I currently have 3 nics, one connected to the DMZ switch, one connected
>> to
>> the LAN switch, and the third to the T1 router (via the VLAN switch
>> which
>> I plan to remove in September)
>
> If you want these three physical networks to have the same (logical)
> subnet then you will not be able to connect them via routing with out
> doing some much more complex routing via DNAT/SNATing on a couple of
> different routers connected to them. Sure you could use UML routers and
> do all of this with one box the this gets EXTREMELY complex for little
> gain.
>
>>>act like two completely independent routers that
>>>know nothing about the other unless your traffic comes in or goes a
>>>specific pair of interfaces.
>>
>> Yes!
>
> Ok, this seems a bit silly to me but if this is the way that you want to
> go I'll be glad to help you.
That would be great!
>The question that I do ask you is do you
> want a fourth physical interface or could it be a logical interface on the
> network? If it could be a logical interface that is connected to the
> other interfaces via a bridge then that may be a bit better. But this is
> up for discussion.
I have one PCI slot left, it's currently being used by a SCSI card which
I'm not using. I can replace it with a NIC. I currently have 2 built-in
NICS plus one in the first PCI slot. I logical interface is fine also.
It saves me from having to take the machine off of the rack.
>> all in all, all the information you've provided to me now makes sense...
>> and it gives me a very good starting point for more Googling...
>
> *nod* Information is a good thing.
>
I know I will definitely need some help, but before I ask for, I'll need
to do some reading up on bridging so at least I understand any examples
given to me (starting with the previous one you gave).
More information about the netfilter
mailing list