Hi,
I am in the process of redesigning our current DMZ in order to place it
behind a proper firewall. Right now we have all our internet servers behind
a screening router. We've are using the IP address space x.y.z.65-126. About
40 IP addresses are already in use.
After the firewall implementation, things will look like this:
INTERNET
|
|
Router
|
| (subnet 1)
|
(eth1)
Firewall (eth2) --------- DMZ
(eth0) (Subnet 2)
|
|
Internal
Network
Right now, I am contemplating whether I should use NAT on the firewall to
screen off the DMZ/subnet 2 (with private IP addresses), or instead subnet
the address space we've been given by our ISP (and use internet IP addresses
for the webservers). Both solutions will require me to change the TCP/IP
settings on the internet servers, so I am basically looking for the lesser
of two evils:
- Use NAT and burn up CPU & memory on the firewall
- Divide the IP address space in two or more subnets and lose some IP
addresses as network & broadcast addresses
The firewall is a 2.4 Linux running iptables. Our connection to the internet
is a 512 K line. Is it possible for a firewall (and more in particular, for
a Linux box) to NAT a DMZ of some 40 servers ? What performance impact
should be expected on a Linux doing NAT versus routing ?
This is a test setup I tried yesterday, but it didn't work:
Router interface = x.y.z.126/255.255.255.252
Firewall eth1 = x.y.z.125/255.255.255.252
Firewall eth2 = x.y.z.65/255.255.255.192 (and this IP address = default
gateway of the web servers)
I know this setup has overlapping subnets, but I was hoping that, once the
Linux box received a packet on eth2 to route from Subnet 2 to Subnet 1 (or
to the internet), it would route it to/over Subnet 1.
Unfortionatly it never did. I may have made an error, so I will recheck
things later on, but I wanted to get you guys' opinion about this. All in
all, this is a very common DMZ setup, and I am sure a number of companies
would hate to see a bunch of IP addresses become useless through
subnetting...
Kind regards,
Filip
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
