Hi
On Mon, Mar 11, 2013, at 06:32 PM, Tom Eastep wrote:
> I would also like to recommend separate LANs for the servers and other
> client systems. I dislike not having a firewall between the two, because
> your internet-facing servers are the most likely targets of hackers.
Logically separate LANs are certainly an option. As for physically
separated, for now, we're interface limited.
So, iiuc, something like:
--------------------------------
Firewall Box:
ext intfc: eth0, x.x.x.17/24, Gateway x.x.x.1
DNS daemon, listen @ 192.168.0.100/24
int intfc: eth1, 172.16.1.100/24
Mail Server Box:
intfc: eth0, 192.168.1.25/24
Xen Server Box:
Dom0
intfc: eth0, 172.16.1.200/24
br0 ->
DomU1
intfc: eth0, 10.0.1.200/24
DomU2
intfc: eth0, 10.0.2.200/24
Desktops
intfc: eth0, 172.16.1.XX
--------------------------------
would provide (some of) that separation ?
that, i presume, adds a bunch of shorewall config complexity for rules
and routes.
also, fwiw, the 'switch' between the firewall box and the rest of the
physical LAN *is* a managed switch, vlan capable. QoS -- generally and
VoIP-specific -- is also "in there" to deal with, with tagging &
allocation across the LAN(s).
for now I'm treating it as a dumb switch until I get further along.
darx
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
