[ previous ] [ next ] [ threads ]
 
 From:  <Kamil dot Wencel at hvbpensionsfonds dot de>
 To:  <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: AW: AW: [m0n0wall] How many ports?
 Date:  Thu, 9 Jun 2005 14:32:08 +0200 
On Thu, 2005-06-09 at 10:20, Kamil dot Wencel at hvbpensionsfonds dot de wrote:
> [...] "I am amazad how lack of phantasy can try to diminish a perfectly good question."
> 
> for multiple dmz's for example, if one box fails the others get nothing to work
> with anyways, 

Correct if the firewall dies, but if a server on DMZ1 is compromized,
there is still no access to DMZ2, DMZ3 etc (except for the pinholes to
the other DMZs if that's requeired ;-) )

> so using one box with multiple interfaces is okay from my point of view. 

that is usually the case. Let's assume you have a m0n0 with 6 interfaces

fxp0 = WAN -> connect to whatever links you up
fxp1 = DMZ -> let's assume some reverse proxies, mail scanner gateways etc.
fxp2 = ADMZ -> some real application servers ( 2nd Tier )
fxp3 = BDMZ -> segment for database host ( 3rd Tier ) serving 2nd Tier to be protected from outside
and mischief from inside
fxp4 = CDMZ -> segment for loghost / outband management
fxp5 = LAN -> all internal clients

of course you have to drilll some pinholes from one dmz to another to keep everything working.
You can set this up with 12 fault tolerant boxes ( as mentioned before, if one box fails all others
are unepmployed as well ) or just ONE m0n0wall with multiple interfaces. I had to set up something
like
that once and struggeld over the limitations of smoothwall and some other web-based linux/bsd
firewall
systems. This is how I stumbled over m0n0wall in the frist place. It does not limit the number of
usable interfaces.

I don't see how compromising a host in DMZ would compromise the whole system ?

Also it has little to none performance impact. My test setup was utilizing a PIII 733 CPU with
256MB RAM and the machine barely noticed anything.


But once we are at it there is something with this setup bothering me :

Assuming I have got 13 usable IP addresses (63.64.65.129+) and I would like to have 
the hosts in DMZ use their real IP Adresses and not to be NATed.


WAN is connected to a xDSL Router 63.64.65.128

fxp0 = WAN -> 63.64.65.129
fxp1 = DMZ -> mail ( 63.64.65.130 ), www reverse proxy ( 63.64.65.131 ), www ssl ( 63.64.65.132,
63.64.65.133 etc. )
fxp2 = ADMZ -> NATed Hosts ( 171.16.1.0/24 )
fxp3 = BDMZ -> NATed Hosts ( 171.16.2.0/24 )
fxp4 = CDMZ -> NATed Hosts ( 171.16.3.0/24 )
fxp5 = LAN ->  NATed Hosts ( 192.168.1.0/24 )

If I understood former discussions correctly I cannot use filtered bridge mode because I would never
again be
able to connect to my DMZ hosts from my LAN. How am I supposed to set up something like that ?
For testing purposes I set up something like that and tried to use 1:1 NAT to reach a DMZ box via
ssh.
But it did not work out. Any ideas would be greatly appreciated.


Kamil Wencel
RADION Digital Research & Innovation
http://www.radion.org
wencel (at) radion (dot) org