On Thu, 2005-06-09 at 14:32, Kamil dot Wencel at hvbpensionsfonds dot de wrote:
> fxp0 = WAN -> connect to whatever links you up
> fxp1 = DMZ -> let's assume some reverse proxies, mail scanner gateways etc.
> fxp2 = ADMZ -> some real application servers ( 2nd Tier )
> fxp3 = BDMZ -> segment for database host ( 3rd Tier ) serving 2nd Tier to be protected from
outside and mischief from inside
> fxp4 = CDMZ -> segment for loghost / outband management
> fxp5 = LAN -> all internal clients
> I don't see how compromising a host in DMZ would compromise the whole system ?
Not in general, but if a host is compromised, it gives a nice platform
with a good connection to other hosts n the same segment.
By firewalling each server to its own segment that would reduce the risk
of compromising the next host.
> But once we are at it there is something with this setup bothering me :
> Assuming I have got 13 usable IP addresses (126.96.36.199+) and I would like to have
> the hosts in DMZ use their real IP Adresses and not to be NATed.
I guess you have a /28 net (16 adresses) - ok one bcast, one net and one
remote router adress is reserved, but anyhow ;-)
> WAN is connected to a xDSL Router 188.8.131.52
> fxp0 = WAN -> 184.108.40.206
> fxp1 = DMZ -> mail ( 220.127.116.11 ), www reverse proxy ( 18.104.22.168 ), www ssl ( 22.214.171.124,
126.96.36.199 etc. )
> fxp2 = ADMZ -> NATed Hosts ( 188.8.131.52/24 )
> fxp3 = BDMZ -> NATed Hosts ( 184.108.40.206/24 )
> fxp4 = CDMZ -> NATed Hosts ( 220.127.116.11/24 )
> fxp5 = LAN -> NATed Hosts ( 192.168.1.0/24 )
> If I understood former discussions correctly I cannot use filtered bridge mode because I would
never again be
> able to connect to my DMZ hosts from my LAN.
I don't know if its a problem, but I don't see why.
The NAT-problem is that you can't connect to a WAN-port (here eg
18.104.22.168:22) that if natted into a dmz or lan-host.
I would expect it to work, but have no idea if I'm wrong on that one.
> How am I supposed to set up something like that ?
> For testing purposes I set up something like that and tried to use 1:1 NAT to reach a DMZ box via
> But it did not work out. Any ideas would be greatly appreciated.
That would be kille due to the NAT-problem
Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>