i would have to agree with robs recommendation, it will truly be the least amount of headache.
and with bind 9, you can have dns views, that respond with corresponding 1.1.1.x address to outside hosts, and respond with 192.168.2.x to inside hosts (but all to the same example.com domain namespace). its not hard to set up at all. cheers, jonathan On Tuesday 15 August 2006 11:28, Geoff Brisbine wrote: > We've only got 3 interfaces in our firewall, so there will only be OPT1. > > Is there a way to do this so I'm not required to address the OPT1 > servers with internal IP addresses? I would have to worry about split > DNS/etc to make sure that LAN people could access it via FQDN and I'd > rather not worry. > > Is it possible to have it like... > > WAN - 1.1.1.1 > LAN - 192.168.0.1-255 > OPT1 - (1.1.1.2-1.1.1.5) > > ... so the servers are configured with their actual external IP > addresses? If we are required to use one of the IP addresses for the > actual OPT1 interface I can live with that. > > Any ideas? > > Thanks, > > Geoff. > > On 8/15/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > > > Greetings, all. > > > > > > We've got 5 static IP addresses (e.g. 1.1.1.1 - 1.1.1.5) from our ISP > > > and we'd like to configure one for our WAN and the other 4 for our OPT > > > (for public servers). > > > > > > WAN (1.1.1.1) > > > LAN (192.168.0.1-255) > > > OPT (1.1.1.2 - 1.1.1.5) > > > > > > I've tried this with bridging the WAN and OPT interfaces, but it > > > doesn't seem to work. > > > > > > Is this possible? If so, how would I go about it? > > > > Alternatively (1) > > > > WAN (1.1.1.1 - 1.1.1.5) virtual interfaces for 1.1.1.2 - 1.1.1.5 > > LAN (192.168.0.1-255) > > OPT (192.168.2.1 - 192.168.2.5) > > > > OPT address is 192.168.2.1 > > > > Put the servers on OPT as 192.168.2.2-192.168.2.5 > > > > Port forward port 80 (and ssl if required) from virtual interfaces > > 1.1.1.2 - 1.1.1.5 to the respective addresses on OPT > > > > Put in more relaxed rules from LAN to OPT so you can upload files for > > webservers in OPT > > > > This is a classic DMZ setup that isolates the severs from your LAN i.e. > > all of your webservers are NOT in the LAN > > > > It makes no difference if the firewall is compromised but it may make all > > the difference if the webservers are. > > > > Alternatively (2) > > > > If you are not using the firewall for load balancing just put a hub in > > front of the router and stick the web servers onto the internet. Be sure > > to configure the local firewall on each webserver before plugging it in. > > If you allow SSH (use SCP not FTP for upload) from your firewall and port > > 80/SSL from ALL then block/drop the rest it should be pretty secure. > > > > Any use of FTP sends a logon password as clear text and rather undermines > > your good work (the same applies to telnet [Soooo 20th century!])(This > > can apply even if FTP is confined to your LAN). > > > > These are just a couple more suggestions if you want you can isolate the > > web servers from each other and so it goes on. Decide what your risk is > > and act appropriately - always have a backup handy. > > > > ---Rob > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
