On Wed, Dec 18, 2002 at 11:42:16AM +0200, Haim Ashkenazi wrote: > Hi > (...) > > I thought about 2 solutions so far: > 1. putting iptables on all the other computers in the DMZ. > 2. connecting this host to another VLAN and set this > configuration on the switch (I have to see if that's even > possible).
If you setup another VLAN then you are setting another DMZ, and thus losing the 3 IP addresses anyway. The only difference being that both DMZs will be connected to the same switch. Question ¿who will do the routing between VLANs? > > Does anybody have another/better solution? These are not the best solution, just some more possibilities: 3.- Setup a bridge firewall and connect your DMZ servers to it. (i.e. remove the switch) 4.- add access control lists in the switch (if it allows you to) 5.- add outgoing firewall rules in the server (an intruder needs to root it to remove the rules, this might take some time if you have hardened it properly and followed 'least privilege' in the setup of the servers/services being offered). Of course the best solution would be a combination of all of them (notice that 2, 3 and 4 are mutually exclusive, I think). My 2c. Regards Javi
pgpgfQxBdp997.pgp
Description: PGP signature