I think I've seen Charles S recommend putting your db server on another ethernet card as one option.
The db server can be on the DMZ, but nothing will route to it from the Internet because you would not port forward to it. You would maybe put a ssh connection to it for secure maintenance. The web server would talk to the db server thourgh normal tcp/ip traffic on the same net. You can minimize you web security issues by not loading in modules that you do not use. For instance if your CGI script is in perl do not load PHP modules, etc. Can anyone else on the list give Kjetil a more concrete answer? Greg Kjetil N�ss wrote: > > What I want to do is to have a web-server in the DMZ. This web-server > has a special cgi-script which I've written. It connects to another > server which will receive all paramters from the cgi-script, do some > database operation and then return a new "dynamic" html-page back > through the cgi-script to the web-server. If there is no way to (ie. I > should not be able to) connect dmz to internal does this mean > I'll have to put this web-server in the internal net and expose it to > the external net through the > INTERN_WWW_SERVER ? Is that safe enough/more safe ? > > Kjetil > > -----Original Message----- > From: Greg Morgan [mailto:[EMAIL PROTECTED]] > Sent: 3. januar 2002 10:15 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Leaf-user] Dachstein CD, problem with connecting from DMZ > to internal > > Kjetil N=E6ss wrote: > > Hi all, > > I've spent too many hours trying to solve a problem I now hope some > > kind person can help me with.=20 I'm using the latest Dachstein CD > > version, 3 network cards as follows =20 > > eth0=3Dexternal (ip's 212.125.237.178, 180, 181,182) > > eth1=3Dinternal (ip's 192.168.1.0/24) > > eth2=3DDMZ (ip's 192.168.2.0/24) > > =20 > > I want to allow a machine in the DMZ to connect to a specific machine > in > > the internal net on a specific port, ie. > > Kjetil this idea violates the whole idea of using a DMZ. eth1, your > internal net should connect to both eth0, the external and eth2 the DMZ. > However, eth2 should never connect to the internal net. The DMZ routing > is designed to do this...on purpose. If a server on your DMZ net is > compromised and it has access to your internal net, then your internal > net is at risk. The DMZ leverages the router to serve both your > protected internal net that is being protect from the big bad Internet, > and the router allows you to host servers who are at risk on the > Internet--the DMZ. It would be adviseable for you to rethink your > strategy. Perhaps you could describe it in more detail and others could > help you enable your goals safely. > > I hope this helps, > Greg Morgan > > > =20 > > machine 192.168.2.2 wants to connect to 192.168.1.250 on port 4711. > > =20 I have no problem going from internal to external, or from > > internal to dmz (can connect to web-server on dmz). All attempts to > > have=20 the machine in the dmz connect to the internal one fails. Some > > > have mentioned to me that this will not be possible/allowed. True ? > > =20 > > At the moment, DMZ_SWITCH=3DPRIVATE. I've tried with YES/PROXY (what's > = > > the > > difference between these three ?). I've also tried > > setting up rules for accepting traffic between these to machines to no > > avail. Telnet from 192.168.2.2 to 192.168.1.250 4711 fails,=20 > > and nothing appears in the log. Could it be a routing problem ? I've > set > > default gateway on 192.168.2.2 to 192.168.2.254 which is the ip > > of eth2. > > > > Please help if you can. > > =20 > > Kjetil N=E6ss > <snip html..you only need to send text> _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
