On Thu, 2005-06-09 at 10:20, Kamil dot Wencel at hvbpensionsfonds dot de wrote:
> [...] "I am amazad how lack of phantasy can try to diminish a perfectly good question."
> for multiple dmz's for example, if one box fails the others get nothing to work
> with anyways,
Correct if the firewall dies, but if a server on DMZ1 is compromized,
there is still no access to DMZ2, DMZ3 etc (except for the pinholes to
the other DMZs if that's requeired ;-) )
> so using one box with multiple interfaces is okay from my point of view.
that is usually the case. Let's assume you have a m0n0 with 6 interfaces
fxp0 = WAN -> connect to whatever links you up
fxp1 = DMZ -> let's assume some reverse proxies, mail scanner gateways etc.
fxp2 = ADMZ -> some real application servers ( 2nd Tier )
fxp3 = BDMZ -> segment for database host ( 3rd Tier ) serving 2nd Tier to be protected from outside
and mischief from inside
fxp4 = CDMZ -> segment for loghost / outband management
fxp5 = LAN -> all internal clients
of course you have to drilll some pinholes from one dmz to another to keep everything working.
You can set this up with 12 fault tolerant boxes ( as mentioned before, if one box fails all others
are unepmployed as well ) or just ONE m0n0wall with multiple interfaces. I had to set up something
that once and struggeld over the limitations of smoothwall and some other web-based linux/bsd
systems. This is how I stumbled over m0n0wall in the frist place. It does not limit the number of
I don't see how compromising a host in DMZ would compromise the whole system ?
Also it has little to none performance impact. My test setup was utilizing a PIII 733 CPU with
256MB RAM and the machine barely noticed anything.
But once we are at it there is something with this setup bothering me :
Assuming I have got 13 usable IP addresses (18.104.22.168+) and I would like to have
the hosts in DMZ use their real IP Adresses and not to be NATed.
WAN is connected to a xDSL Router 22.214.171.124
fxp0 = WAN -> 126.96.36.199
fxp1 = DMZ -> mail ( 188.8.131.52 ), www reverse proxy ( 184.108.40.206 ), www ssl ( 220.127.116.11,
18.104.22.168 etc. )
fxp2 = ADMZ -> NATed Hosts ( 22.214.171.124/24 )
fxp3 = BDMZ -> NATed Hosts ( 126.96.36.199/24 )
fxp4 = CDMZ -> NATed Hosts ( 188.8.131.52/24 )
fxp5 = LAN -> NATed Hosts ( 192.168.1.0/24 )
If I understood former discussions correctly I cannot use filtered bridge mode because I would never
able to connect to my DMZ hosts from my LAN. How am I supposed to set up something like that ?
For testing purposes I set up something like that and tried to use 1:1 NAT to reach a DMZ box via
But it did not work out. Any ideas would be greatly appreciated.
RADION Digital Research & Innovation
wencel (at) radion (dot) org