"Enchufa2.com" <[EMAIL PROTECTED]> wrote:
Let me step out on a limb. I am just looking into the idea of using a
private DMZ for a backup server. One LEAF box's protected server would
send files to another LEAF box's port forwarded server via SSH. From my
reading, I get the feeling that some of the ipchain rules Ray described
are covered in the extended scripts available for Eigerstein Beta 2. I
am too new in the learning curve to fully describe the configuration
yet. The extended scripts are the default scripts in Dachstein. The
scripts are available to EB2 as an add on package. Moreover, there are
some "hook" files that may be useful in adding the specialized rules Ray
talked about, if the extended scripts do not provide support by default.
What I am thinking is that the extended scripts would help with adding a
private network DMZ. See your modified diagram below. If your company
can spring for the cost of one more network card in your LEAF box, then
you would put all your servers on the DMZ. This would also offer your
network more protection if one of your servers is compromised. A
reverse masquerade rule is set for the servers in the extended scripts.
You could block all the services Ray talked about and restrict them to
172.16.8.2. This would restrict the services to your internal servers
on the DMZ because of the built in rules. Please see the "ADVANCED
FIREWALL CONFIGURATION" section of the network.txt documentation file.
Hopefully, I helped and not hindered here.
Greg Morgan
>
> This is a commented diagram of the current setup:
>
> Internet Gateway
> 216.72.129.xxx
> |
> |
> LMMDS Wireless link to ISP network
> |
> |
> ISP router at building
> 172.16.8.1 subnet mask: 255.255.255.0
> |
> LRP: Eigerstein Beta 2
> ***************|**********
> * | * Router offers:
> * eth0: 172.16.8.2 * NAT for the LAN, portfw to internal
> * * servers, SSH access from the outside
> * eth1: 192.168.0.1 *
> * | *
* eth2: 192.168.0.2 *--------3 interal servers network/DMZ
moved here.
* | *
> ***************|**********
> |
> |
> Internal network
> 192.168.0.0/24
> |
> |
> hub/switch
> | | | |
> | | | | 3 internal servers and several workstations:
> | | | |
> | | | | Services offered by the servers:
> | | | |
> | | | | - To the inside:proxy/cache (Squid),Socks5 proxy=
> ,
> | | | | authentication,DHCP,SMTP,IMAP,DNS
> | | | |
> | | | | - To the outside: www
> | | | |
> | | | | All servers and workstations
> | | | | use 192.168.0.1 as defualt gateway
> | | | |
> | | | | Servers IP config is manual
> | | | |
> | | | | Workstations get IP config via DHCP
> | | | |
> | | | +--- 192.168.0.2
> | | |
> | | +----- 192.168.0.3
> | | .
> | | .
> | | .
> | +-------- 192.168.0.252
> |
> +---------- 192.168.0.253
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
