On 3/11/13 5:05 PM, "[email protected]" <[email protected]> wrote: >Hi > >On Mon, Mar 11, 2013, at 06:32 PM, Tom Eastep wrote: >> I would also like to recommend separate LANs for the servers and other >> client systems. I dislike not having a firewall between the two, because >> your internet-facing servers are the most likely targets of hackers. > >Logically separate LANs are certainly an option. As for physically >separated, for now, we're interface limited. > >So, iiuc, something like: > >-------------------------------- >Firewall Box: > ext intfc: eth0, x.x.x.17/24, Gateway x.x.x.1 > DNS daemon, listen @ 192.168.0.100/24 > int intfc: eth1, 172.16.1.100/24 > >Mail Server Box: > intfc: eth0, 192.168.1.25/24 > >Xen Server Box: > Dom0 > intfc: eth0, 172.16.1.200/24 > br0 -> > DomU1 > intfc: eth0, 10.0.1.200/24 > DomU2 > intfc: eth0, 10.0.2.200/24 > >Desktops > intfc: eth0, 172.16.1.XX >-------------------------------- > >would provide (some of) that separation ?
Some (but not much). Broadcast traffic on the LAN is visible to all hosts, so each of the subnets is quickly exposed to the other. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
