Re: different DMZs which is better?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Filip Sneppe <filip.sneppe@cronos.be>
To: Mike <mikeeo@msn.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: different DMZs which is better?
Date: 13 Jan 2003 17:05:33 +0100	[thread overview]
Message-ID: <1042473933.491.76.camel@xbox> (raw)
In-Reply-To: <001e01c2bb10$05d79300$9865fea9@win2k.com>

On Mon, 2003-01-13 at 15:28, Mike wrote:
> Hey guys Im deciding how I want to implement a DMZ for my company can anyone
> tell me the pros and cons of my DMZs below? should I got with a routable
> hosts in my DMZ and just filter out any port I don't want open or just port
> forward over certain ports and use IP alias?
>
Hi Mike,

Using NAT in your setup is usually a good way to save IP 
addresses. If you add one or more static routes to the
Cisco router, you don't even have to add aliases to eth0
on the Linux firewall. It'll also save you from fiddling
around with things like proxy arp and subnetting your
IP address range, which could get pretty hairy.

Performance-wise, you shouldn't notice any difference when
NAT'ing IP addresses in all but the most serious setups
(how many hosts are we talking about ? I am assuming
anything between 1 to 32 DMZ hosts. And what bandwidth
do you have available).

One thing to watch out for with NAT is that certain protocols
are difficult to firewall/NAT. The really important ones
are fully covered in the kernel (FTP, IRC), and there are
a bunch of additional nat/conntrack helpers in patch-o-matic
to cover most protocols, but if you want to run some
weird protocol behind a NAT box, you may encounter some
difficulties. Again, things like HTTP, FTP, IRC, DNS,
POP3, IMAP, etc. will work just fine with iptables+NAT.

One possible disadvantage of NAT is that it may render
your network topology a bit less clear/intuitive for some
people...

Hope this helps... 

Regards,
Filip

next prev parent reply	other threads:[~2003-01-13 16:05 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-01-13 14:28 different DMZs which is better? Mike
2003-01-13 14:59 ` Cedric Blancher
2003-01-13 16:05 ` Filip Sneppe [this message]
2003-01-13 16:14   ` Filip Sneppe
2003-01-14  0:10   ` Joel Newkirk
2003-01-13 19:15 ` Mike
2003-01-13 20:28   ` Athan
2003-01-14 12:26   ` Filip Sneppe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1042473933.491.76.camel@xbox \
    --to=filip.sneppe@cronos.be \
    --cc=mikeeo@msn.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.