Re: [Devil-Linux-discuss] PLEASE HELP VERY URGENT!!! SOS

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

pes coe wrote:
> let me explain you the situation first
> we have a static IP from our internet service provider ok
> our router is a ADSL router with wifi and dmz capabilities
> it has 4 ethernet ports and wifi access
> i have successfully installed devil linux (Firewall) after the router
> with two NIC
> first NIC same subnet as that of LAN (ethernet)  of ADSL router . it is
> DHCP client of ADSL router.
Not good idea. It is much easier to configure your network if DL will have
public ip, so reconfigure ADSL router to bridge mode.

> Second subnet is a class B network for local LAN
> i have considered 172.0.0.10/255.255.0.0 <http://172.0.0.10/255.255.0.0>
> as gateway address ie., for second NIC and also it provides DHCP server
> for all the client on the LAN  from the same
you have LAN: 172.0/16, probably it's a typo because it's public network.
Let it be 172.16/16 (your LAN is really so big?)

> NOW we have dedicated DMZ server which was earlier connected directly to
> ADSL router
> BUT now we want it to be in LAN as well
> please let me know how to configure third NIC which subnet it should have
The DMZ have to be a separate network, so it may be (rfc 1918) from the
following ranges:
  10.0.0.0        -   10.255.255.255  (10/8 prefix)
  172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
  192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Since you have chosen 172.16/16 for the LAN the choice is a bit narrower:
 10.0.0.0        -   10.255.255.255  (10/8 prefix)
 172.17.0.0      -   172.31.255.255  ( 15 networks with /16 prefix)
 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

I guess something like 172.17.0.0/29 (6 addresses) will be more than enough even
if DMZ will grow.
It may be also 192.168.0.0/29, 192.168.0.8/29, 192.168.0.16/29 etc etc.

>
> 1)WHAT SUBNET should i have for 3rd NIC on DL firewall ?  172 network or
> 192 one (i assume as class b or class c)
>

class B? class c? either your network is huge or try to use classless address
scheme.
please see above.

> 
> 2)can we have a virtual ip for DMZ server that is having both the
> network (suppose 172.0.0.254/255.255.0.0
>  and like 192.168.2.254/255.255.255.0
> ) on the onboard ethernet card
Theoretically you can (will not describe how), but should not. From my viewpoint
it's better to have 2 separated network segments ( 2 broadcast domains) because
the sense of DMZ will be lost if DMZ and LAN will be one broadcast domain.

> 
> let this be aside please tell me how to route a DMZ request that comes
> from outside (INTERNET) to ADSL router and NAT to this dmz server
It's easy.
- If ADSL is in bridge mode:
you have to configure DNAT for DMZ (see /etc/init.d/firewall.rules.* examples) only

- If ADSL is in router mode:

The first you have to configure DNAT for DMZ
The secound you have to add static route for DMZ and LAN to ADSL routing table
I assume you realize that in this case there will be 3 networks - LAN, DMZ and
transport network between ADLS and DL ( /30 is ok, and DHCP for such network is
overkill)

> 
> 
> 
> PLEASE HELP ME its not working for me as of now
> waiting for ur reply
> pescoe

-- 
Serge Leschinsky