Ronneil,
#Since I have never tried setting up DMZ, I have a question: This DMZ side
of
#the firewall should contain ip network/subnet accessible outside. What I
#mean here is, I shouldn't use RFC1918 on the DMZ side, it should be public
#IP addresses. Am I right?
You can use RFC1918 addresses as long as you still do NAT. For
external to DMZ connections you will want to do IP address redirection in
your proxy. You may need multiple Internet routable IP addresses assigned
to the external NIC of the firewall depending on what kind of and how many
servers you have on the DMZ.
Examples:
1. If you have two web servers on the DMZ then you would need two routable
IP addresses on your firewall's external NIC so you can map all traffic for
port 80 and port 443 on one IP address to one web server and all port 80
and port 443 traffic on the other IP address to the other web server.
2. If you have a web server and an ftp server then you only need one
Internet routable IP address because you can map ports 20 and 21 to the ftp
server on the dmz and ports 80 and 443 to the web server.
It is easier to just have Internet routable IP addresses on the DMZ if you
have servers of the same type and have extra IP addresses laying around.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
