Re: DMZ Question

["John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>]

On Mon, 2004-10-04 at 13:41, Deepak Seshadri wrote:
> Hello everybody,
> 
>  
> 
> 
> 
>                              --------------------------
> 
>                              |                               |     WAN
> (x.x.x.58/28, default gateway - x.x.x.49)
> 
>                              |       FC2           e0
> |-------------------------- ISP
> 
>              LAN         |                               |
> 
> -----------------------|  e1                         |     DMZ
> 
>     10.0.1.x            |                        e2
> |--------------------------
> 
>                              |                               |
> 
>                              |-------------------------|
> 
> I have 3 computers that need to have public addresses and their IP addresses
> are:
> 
> A - x.x.x.50/28, DG - x.x.x.49
> 
> B - x.x.x.51/28, DG - x.x.x.49
> 
> C - x.x.x.55/28, DG - x.x.x.49
> 
> Now the problem is I do not understand how I will give access to these PCs
> from public without putting these PCs on a different subnet. Some firewalls
> such as sonicwall do not require an IP for the DMZ port. You can add any
> number of IPs behind the DMZ and it works. How is that done? Is it possible
> with Linux?
> 
> If I connect them on the DMZ interface, should they all be put in a
> different subnet, probably with /29 bit mask? If I do it this way, should I
> use iptables & DNAT or should/can I use just the "routing" in linux?
> 
> If you have a better way to do it, please let me know. Any help will be
> greatly appreciated.
> 
> Thank you,
> 
> Deepak Seshadri
> 
>  
You have several different options.  You do not have to put the public
devices on a separate subnet but I would strongly recommend doing so. 
If the public has access, there is the chance that a public user can
crack into your publicly exposed device.  If the device sits on your
internal network, there is nothing between the intruder and the rest of
your private systems.

I would also recommend using DNAT and iptables access control.  This
way, you can restrict what services are exposed to the public and hide
the true addressing scheme.  If you really wanted to get tricky, you
could even alter the TTL so that only your publicly exposed services can
go any further than your ISP's router.

You will need to ensure that the public interface of the firewall
responds to ARP requests for the other addresses.  You do this by
binding those addresses to the physical interface, e.g., 

ip address add x.x.x.58/28 dev eth0 brd +

When it is released, ISCS (http://iscs.sourceforge.net) will do all of
this from NAT to access control to ARP to even TTL automatically.  Until
then, you'll need to set it up manually or use a rule configurator like
fwbuilder (http://www.fwbuilder.org).  Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com