Hello: Configuring the router to provide a DMZ and moving the servers there is next on this project list, since sometime this year the servers will be hosting a web site and a web-based database app.
But I was not aware of a private DMZ configuration, so it may be that I start implementing a private DMZ soon. Thanks for stepping out on a limb :-) Omar Vasquez On 11/5/02 1:42 PM, Greg Morgan from <[EMAIL PROTECTED]> wrote: > "Enchufa2.com" <[EMAIL PROTECTED]> wrote: > > Let me step out on a limb. I am just looking into the idea of using a > private DMZ for a backup server. One LEAF box's protected server would > send files to another LEAF box's port forwarded server via SSH. From my > reading, I get the feeling that some of the ipchain rules Ray described > are covered in the extended scripts available for Eigerstein Beta 2. I > am too new in the learning curve to fully describe the configuration > yet. The extended scripts are the default scripts in Dachstein. The > scripts are available to EB2 as an add on package. Moreover, there are > some "hook" files that may be useful in adding the specialized rules Ray > talked about, if the extended scripts do not provide support by default. > > What I am thinking is that the extended scripts would help with adding a > private network DMZ. See your modified diagram below. If your company > can spring for the cost of one more network card in your LEAF box, then > you would put all your servers on the DMZ. This would also offer your > network more protection if one of your servers is compromised. A > reverse masquerade rule is set for the servers in the extended scripts. > You could block all the services Ray talked about and restrict them to > 172.16.8.2. This would restrict the services to your internal servers > on the DMZ because of the built in rules. Please see the "ADVANCED > FIREWALL CONFIGURATION" section of the network.txt documentation file. > > Hopefully, I helped and not hindered here. > > Greg Morgan > >> >> This is a commented diagram of the current setup: >> >> Internet Gateway >> 216.72.129.xxx >> | >> | >> LMMDS Wireless link to ISP network >> | >> | >> ISP router at building >> 172.16.8.1 subnet mask: 255.255.255.0 >> | >> LRP: Eigerstein Beta 2 >> ***************|********** >> * | * Router offers: >> * eth0: 172.16.8.2 * NAT for the LAN, portfw to internal >> * * servers, SSH access from the outside >> * eth1: 192.168.0.1 * >> * | * > * eth2: 192.168.0.2 *--------3 interal servers network/DMZ > moved here. > * | * >> ***************|********** >> | >> | >> Internal network >> 192.168.0.0/24 >> | >> | >> hub/switch >> | | | | >> | | | | 3 internal servers and several workstations: >> | | | | >> | | | | Services offered by the servers: >> | | | | >> | | | | - To the inside:proxy/cache (Squid),Socks5 proxy= >> , >> | | | | authentication,DHCP,SMTP,IMAP,DNS >> | | | | >> | | | | - To the outside: www >> | | | | >> | | | | All servers and workstations >> | | | | use 192.168.0.1 as defualt gateway >> | | | | >> | | | | Servers IP config is manual >> | | | | >> | | | | Workstations get IP config via DHCP >> | | | | >> | | | +--- 192.168.0.2 >> | | | >> | | +----- 192.168.0.3 >> | | . >> | | . >> | | . >> | +-------- 192.168.0.252 >> | >> +---------- 192.168.0.253 _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
