Re: Forward to DMZ addresses

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Forward to DMZ addresses
Date: Sat, 20 Aug 2005 17:19:38 -0500	[thread overview]
Message-ID: <4307AC7A.40109@riverviewtech.net> (raw)
In-Reply-To: <56203.38.119.239.226.1124559049.squirrel@mail.innovativesource.net>

> I guess "exactly" = a setup similar to what I've seen commercial firewall
> products do, e.g. Sonicwall or Watchguard Firefox.  They have 3 NICS on
> the back, 1. connected to the T1 router, 2. connected to the LAN switch,
> 3. connected to the DMZ switch.  and rules are managed from the Sonicwall
> box itself... who knows what they're doing in the background... when we
> setup DMZ boxen, we connect them to the DMZ switch, assign them static
> addresses from our IP pool, create a rule allowing access, and off we go. 
> When shopping around for firewall products, I've also noticed that some
> specs say 3 NICS for DMZ/WAN/LAN connections sometimes more NICS (don't
> know why).  I'm trying to mimic this...  perhaps they have some heavy
> routing rules in the back, something that would I need to learn...

I have never used any of these ""commercial products as I have always been able to get Linux to do what I wanted it to do.  That or I have changed what I want to so that it fits with in what Linux can do, though I don't think this is very likely.

> It's funny that you've just described exactly what I want to do...

Hmm, maybe bridging is exactly what you want to do then and you just are not aware of it.

> I currently have 3 nics, one connected to the DMZ switch, one connected to
> the LAN switch, and the third to the T1 router (via the VLAN switch which
> I plan to remove in September)

If you want these three physical networks to have the same (logical) subnet then you will not be able to connect them via routing with out doing some much more complex routing via DNAT/SNATing on a couple of different routers connected to them.  Sure you could use UML routers and do all of this with one box the this gets EXTREMELY complex for little gain.

>>act like two completely independent routers that
>>know nothing about the other unless your traffic comes in or goes a
>>specific pair of interfaces.
> 
> Yes!

Ok, this seems a bit silly to me but if this is the way that you want to go I'll be glad to help you.  The question that I do ask you is do you want a fourth physical interface or could it be a logical interface on the network?  If it could be a logical interface that is connected to the other interfaces via a bridge then that may be a bit better.  But this is up for discussion.

> all in all, all the information you've provided to me now makes sense...
> and it gives me a very good starting point for more Googling...

*nod*  Information is a good thing.

Grant. . . .

next prev parent reply	other threads:[~2005-08-20 22:19 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-13 18:19 Forward to DMZ addresses jonathan
2005-08-15  5:31 ` Grant Taylor
2005-08-16 16:15   ` jonathan
2005-08-17  5:53     ` Grant Taylor
2005-08-17 16:04       ` Jonathan Villa
2005-08-18  6:10         ` Grant Taylor
2005-08-18 18:33           ` Jonathan Villa
2005-08-18 19:49             ` Taylor, Grant
2005-08-18 21:00               ` Jonathan Villa
2005-08-19  6:04                 ` Grant Taylor
2005-08-19 18:57                   ` Jonathan Villa
2005-08-19 22:33                     ` Taylor, Grant
2005-08-20 17:30                       ` Jonathan Villa
2005-08-20 22:19                         ` Grant Taylor [this message]
2005-08-22 14:25                           ` Jonathan Villa
2005-08-22 21:47                             ` Taylor, Grant
2005-08-23  6:54                               ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4307AC7A.40109@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.