> How can I configure a firewall on such a routed DMZ with the script in
> the Eiger distribution?
Start with:
http://lrp.steinkuehler.net/files/packages/network.txt
Specifically, the sections:
Routing to a Public address DMZ:
IP FILTER SETUP: DMZ NETWORK
> I wonder if IP masquerading is at all required to achieve the same
> level of security for the DMZ as provided for the internal network
> that I do not have? What is the difference of masquerading and
> filtering in this context?
In your situation, you should *NOT* be masquerading the DMZ. You can if you
want, but by providing public services, you are bypassing the 'safety-net'
provided by IP masquerading, as you're specifically and intentionally
letting external machines connect to your servers. Setup of a system that
mixes masquerading and straight routing is quite a bit more complex, as
well.
> I guess that the filtering that I am looking for is less complicated
> than port forwarding.
Yes
> After I got the Eiger distribution running with
>
> IPFILTER_SWITCH=router
Wrong.
> I have changed to
>
> IPFILTER_SWITCH=firewall
Correct.
> and created one entry in
>
> INTERN_SERVERS="tcp_a.b.c.d_80_tcp_a.b.c.d_80"
>
> where a.b.c.d is a routable address in the DMZ.
This has absolutely nothing to do with your DMZ setup. Refer to the
network.conf reference, above.
> But what do I have to do with
>
> INTERN_NET
> INTERN_IP
> and
> MASQ_SWITCH
> ?
Whatever you want. You don't have an internal, masqueraded network, so none
of these settings matter. IIRC, if you set INTERN_NET="", you won't get
errors about the internal net when the script runs.
> Firewalling doesn't work for me yet.
>
> What am I missing?
Proper configuration of your DMZ. Use the DMZ_* variables, and read through
the network.conf reference above. NOTE that most default network.conf files
DO NOT include settings for the DMZ_* variables by default (since most folks
don't use them), but they'll work if you add them by hand.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
