[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Setting up firewall with DMZ



/ 2004-01-09 15:21:19 +0200
\ Jaakko Tamminen:
> Hi All
> 
> I'm facing a new situation.
> 
> A company need to add to their current network a DMZ zone.
> 
> Currently there is ADSL-modem with firewall, and LAN with C-class networking. 
> The ADSL/firewall is visible with IP 192.168.0.254.
> 
> Now I would like to connect a SuSEfirewall2 with DMZ between the ADSL/firewall 
> and the LAN, thus enabling a DMZ zone with a web-shop application.
> 
> Could someone quide me with subnets, what to choose.. I'm little puzzled 
> here... 
> 
> I believe the DMZ should have either A or B class..?
> 
> Should I change the ADSL also to for example A-class, so that I would have 
> first A-class coming inward from the ADSL, then B-class for the DMZ, and 
> C-class for the LAN?

there is more to ip routing than just A,B,C ...

iiuc, you have now
	[ LAN: 192.168.0.0/24 ], expecting their default gw at 192.168.0.254

so you could choose to put in your 
	FW: 192.168.0.254  here, and connect it additionally to

for example your
	[ DMZ: 192.168.77.0/24 ]

as well as via the third nic to your ADSL router, which you could
reconfigure to announce itself as 192.168.33.42 ...
that way you won't even need to reconfigure your existing lan clients.


you end up with

 extern-ADSL-intern 
                | 192.168.33.42
                |
                `- 192.168.33.1 - SuSE FW - 192.168.77.254
                                   /          \
                        192.168.0.254          DMZ
                                 /               \- 192.168.77.1 - server1
                               LAN               \- 192.168.77.2 - server2
           box1 - 192.168.0.1 -/                 \- 192.168.77.3 - server3
           box2 - 192.168.0.2 -/
           box3 - 192.168.0.3 -/


both DMZ and LAN may be distinct class C networks
you of course can choose otherwise,
and use 10.2.4.8/16 for the DMZ, if you like :)

hth,

	Lars Ellenberg

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here