[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Setting up firewall with DMZ
/ 2004-01-09 15:21:19 +0200
\ Jaakko Tamminen:
> Hi All
> I'm facing a new situation.
> A company need to add to their current network a DMZ zone.
> Currently there is ADSL-modem with firewall, and LAN with C-class networking.
> The ADSL/firewall is visible with IP 192.168.0.254.
> Now I would like to connect a SuSEfirewall2 with DMZ between the ADSL/firewall
> and the LAN, thus enabling a DMZ zone with a web-shop application.
> Could someone quide me with subnets, what to choose.. I'm little puzzled
> I believe the DMZ should have either A or B class..?
> Should I change the ADSL also to for example A-class, so that I would have
> first A-class coming inward from the ADSL, then B-class for the DMZ, and
> C-class for the LAN?
there is more to ip routing than just A,B,C ...
iiuc, you have now
[ LAN: 192.168.0.0/24 ], expecting their default gw at 192.168.0.254
so you could choose to put in your
FW: 192.168.0.254 here, and connect it additionally to
for example your
[ DMZ: 192.168.77.0/24 ]
as well as via the third nic to your ADSL router, which you could
reconfigure to announce itself as 192.168.33.42 ...
that way you won't even need to reconfigure your existing lan clients.
you end up with
`- 192.168.33.1 - SuSE FW - 192.168.77.254
/ \- 192.168.77.1 - server1
LAN \- 192.168.77.2 - server2
box1 - 192.168.0.1 -/ \- 192.168.77.3 - server3
box2 - 192.168.0.2 -/
box3 - 192.168.0.3 -/
both DMZ and LAN may be distinct class C networks
you of course can choose otherwise,
and use 10.2.4.8/16 for the DMZ, if you like :)
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here