[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] DMZ by IP?
 Date:  Sun, 5 Dec 2004 05:06:35 -0500
On Sat, 04 Dec 2004 21:11:56 -0500, Max Khitrov <mkhitrov at umd dot edu> wrote:
> Hi everyone,
> 
> Just a little curious, I don't have my server up yet, but when it's
> ready to go I would need to connect it and make it accessible from the
> outside of my network. Is it possible to set this up by IP, or is the
> only way to have a DMZ host is a 3rd nic? 

A publicly accessible host is not the same thing as a DMZ.  You can
configure inbound NAT to the LAN to accomplish what you are talking
about.

A DMZ would be a separate network on a 3rd interface, isolated from
LAN access as much as possible.  I frequently run into situations like
this, where you really *should* put it on a DMZ, but you need
significant network throughput between the host in question and hosts
on your LAN.  So do you spend 10+ times as much on your firewall so it
can route the speed you need, or leave the host in question on the
LAN?  Depends on the environment, and level of risk.  You'll have to
assess that and make that judgement call.  If you need to route
gigabit speeds, you'll need a Xeon m0n0wall box or high end P4/AMD.

-Chris