Hi all,
After reading the O'Really firewall-bible and a lot of FAQ's and mailing
list archives, I'm still missing a clear concept or example for what I
consider a typical Internet connection setup in many small bussines and
organizations.
We are such a non-profit organization with about 50 PC's and half a
dozen of Novell/NT/Linux-Servers. The three Linux PC's (running kernel
2.0.35, thus with the ipfwadm firewall package) do mainly act as
Intranet server and firewall/proxy for our Internet connection (xDSL).
Our actual setup is:
192.168.x.x/16 194.y.z.8/29
Intranet -------- Linux PC --------- xDSL Modem ----- Internet
eth1 eth0
As you can see, we only got 8 real-world IP addresses (6 usable), and
the Linux PC is acting as a dual homed bastion host, with firewalling
and masquerading, and serving at the same time as HTTP-Proxy (squid), as
SMTP-forwarder to the internal mail-server (with smtpd) and as external
Web/FTP-Server. After some initial configuration troubles, all is
working fine since a few months.
Now my problem, or better, my wishes: I got some old 486 PC's with
enough RAM, and I would like to setup now a real "nice" dual screened
subnet architecture with perimeter network (DMZ) and our actual Linux PC
being integrated there as bastion host again, but doing only proxying,
mail-forwarding and external web/ftp-serving; the DMZ will be
"populated" with more servers in the near future, splitting up these
activities on two or three PC's. The primary architecture would thus be:
192.168.x.x/16
Intranet -------- Linux FW -----+---- Linux Router --- xDSL Modem ---
Internet
�
Linux Proxy/Server
My questions are: What happens now with the addressing scheme and the
masquerading? I think that the DMZ between the Linux firewall and the
(new) Linux exterior screening router should get the official IP-address
space (194.y.z.8/29). This would mean, that the masquerading has to take
place at the Linux FW machine, is this right?
Furthermore: Should the Linux Proxy/Server get one (as shown) or two (as
a dual homed bastion host) ethernet interfaces? And finally: is it
advisable to use only one Linux Firewall/Router instead of the two
"chokes" shown, by adding a third ethernet interface for the DMZ?
Many thanks in advance for any answer or hint,
Manuel Elgorriaga Kunze
Swiss Library for the Blind
Zurich, Switzerland
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
