Re: DMZ howto

["\"José R. \\\"Xous\\\" Negreira\"" <xous@xouslab.com.ar>]

Hi,

First of all, technically and strictly speaking...a DMZ is not (always) 
a subnet. A DMZ is a independent network with a completely different IP 
ranges.
you can have an internal network of 192.168.1.0/24 network, and a DMZ 
10.1.1.0/24, just to say some example....
Possible question: But...may it be a subnet?? Yes! of course...but it's 
not a must!


Your question:
My  ISP assigns me  a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?

short answer:
No, there's no limitation, AFAIK

long answer:
So now you have some doubts about the IP assigments huh?. Well...first 
of all, put the DMZ concept aside. Just to clarify concepts...I tell you 
more, it shouldn't bother too much this!

You want to publish a web server, and the problem is how people outside 
reach to your web server.
If you have a static IP, there's no problem. People will reach you by 
typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP 
address. But...that means that you have a web server INSTALLED on the 
firewall.... too bad. You want to have it on another machine, right?

You will have a public IP, it doesn't matter if it's static or dynamic. 
In both cases, you'll want to use FORWARDING, and NAT (Network Address 
Translation), and that's now actually your real problem. What you do is 
simply 'touching' each packet header that traverses on the firewall, and 
redirecting wherever *you* want.

Suppose that you have not one machine, but 3 webservers, but... Oh My 
god, you have only one IP!!  Well, using NAT, you can (for example) let 
people access to each webserver by typing:
http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
http://xx.xx.xx.xx:82 (redirect to serverC, port 80)

How to do NAT? The answer is on the question: (Recommended reading - NAT 
HOWTO)

So, as you can see, your network(s) on the outside, is reduced to only 
one host (the firewall), behind it, it doesn't matter if it is just the 
firewall itself, a small network, one small network, one big network, 
or..... two or more *networks* (yes, you can return DMZ concept 
here!)!!. From the outside, it's transparent!!

Well, re-reading this answer, it seemed to me like a big "concept 
salad", but... tryied a shot, hope it helped a bit! :)
And good luck!

Regards

-- 
_____________________________________________
Jose R. "Xous" Negreira.
PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com
RDP - http://www.relacionesdepareja.com.ar



P theodorou escribió:

>
>
>
> Thank all of you for the replies,
>
> i have now a good understanding of
> the subject but before proceed  into building the dmz subnet i need
> to ask something :
>
> My  ISP assigns me  a dynamic ip , therefore, is that a limitation
> that could not allow me to develop the dmz subnet ?
>
> Is that correct or inacurrate ? Visitors shall need to type my ip to
> access my webpage,  but what im interesting is the development
> of the firewall itselfin terms of securing a network . It will never be
> used for real casesit is just for me to understand.
> the script that i have suggesetd uses static ip
>
> # 1.1 Internet Configuration.
> #
> INET_IP="194.236.50.152"
> HTTP_IP="194.236.50.153"
> DNS_IP="194.236.50.154"
> INET_IFACE="eth0"
> So,
> Can i develop dmz subnet without static ip   and dmz'ed services
> to be accessed on the Internet?
>
> Regards
>
>
>