>>>>> "GB" == Greg Bastian <[EMAIL PROTECTED]> writes:
GB> I currently have a 32 Address class C subnet, which I need to
GB> extend to 64 addresses.
If it has 32 addresses,it is not class C. Just forget you ever heard
of classes, they are gone.
GB> The problem being, I have a web server in our DMZ which I need to
GB> have access to a DB on our internal LAN.
GB> The internal LAN is masqueraded behind a Linux host, and I cannot
GB> figure a way for the Web server to easily access the internal
GB> database.
Set up port forwarding on the Linux host, so that a specific port on
the Linux hosts outside IP address is forwarded to the database. Be
careful about the rules you set up for that. Also, if someone sends
spoofed packets you have lost.
It is better to switch to a setup where the database server
initiates connections instead of listening for them. That way an
attacker would at least have to insert packets in an established TCP
connection which he cannot sniff...
It would be even better to put the Webserver on a third network card
on the Linux host.
Best regards,
Benny Amorsen
Netvision Denmark
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
