From: Gordon R. <ru...@cl...> - 2005-07-11 18:11:40
|
I have always created a DMZ by patching in a simple unmanaged switch between the router and the firewall. Otherwise, the router will have to know that your firewall is the gateway to your DMZ somehow, either with a routing rule added to the ISP's router or getting the DL firewall's eth0 to grab everything that the router sends to your 85.133.20.0/25 subnet. Im not sure of the easiest way to do the latter. gordon Russell Packer wrote: > Hm. I figured I may have to do something like that - but I've never used that sort of configuration before. I guess I'll have to have a try again at the subnetting. > > I do seem to remember a long time ago using static routes and modifying the arp tables (back on ipso/Firewall-1)... > > The router here is one of the ISP(BT) managed things, so slightly reluctant to have to have any configuration changes made to that. > > > -----Original Message----- > From: dev...@li... on behalf of Moray McConnachie > Sent: Mon 7/11/2005 5:36 PM > To: dev...@li... > Cc: > Subject: RE: [Devil-Linux-discuss] Routing > We deal with this (tho glad to hear of a better way, because I thought it very odd when setting it up!) by subnetting like this for eth0: > > 85.133.20.0/30 > > and then running virtual interfaces on eth1 (assuming class C for a minute) as > > 85.133.20.4/30 > 85.133.20.8/29 > 85.133.20.16/28 > 85.133.20.32/27 > 85.133.20.64/26 > 85.133.20.128/25 > > Your DMZ address space is then 85.133.20.5-85.133.20.254, excepting 85.133.20.7,85.133.20.8, 85.133.20.15, 85.133.20.31,85.133.20.32,85.133.20.63,85.133.20.64,85.133.20.127. > > IPtables interface specifier is not sensitive to the virtual interfaces, which means $IPTABLES -i eth0 -o eth1 still gets everything coming from outside destined to the DMZ. If you don't care about using all the address space, just using the last line would be easier. > > Then you tell the router to use static routing for each DMZ group you set up, routing each through your eth0 IP address. > > Yours, > Moray > > > ------------------------------------------- > Moray McConnachie > IT Manager - mmc...@ox... > Oxford Analytica - http://www.oxan.com > > -----Original Message----- > From: dev...@li... > [mailto:dev...@li...]On Behalf Of > Russell Packer > Sent: 11 July 2005 17:02 > To: dev...@li... > Subject: RE: [Devil-Linux-discuss] Routing > > > netstat -rn shows me: > > 85.133.20.0 0.0.0 255.255.255.128 eth0 > 85.133.20.0 0.0.0 255.255.255.128 eth1 > 10.0.0.1 0.0.0.0 255.255.255.0 eth2 > 0.0.0.0 85.133.20.1 0.0.0.0 eth0 > > Which is pretty wrong, as indeed - how does anything know to come back through eth1? > > I tried subnetting it out (255.255.255.192) but couldn't make that happy either. > > I also tried some static routes (in case the router wasn't happy with me subnetting), but again no joy... > > > -----Original Message----- > From: dev...@li... on behalf of Gordon Russell > Sent: Mon 7/11/2005 4:36 PM > To: dev...@li... > Cc: > Subject: Re: [Devil-Linux-discuss] Routing > what does netstat -rn tell you? > > you will have the same network on two interfaces (eth0, facing the > router, and eth1, facing the dmz). To which is the assigned network > (85.133.20.0) attached in the routing tables on the DL box? do you need > to further netmask it to split it between the two interfaces? > > gordon > > > ------------------------------------------------------- > This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > > |