[ previous ] [ next ] [ threads ]
 
 From:  Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: AW: AW: [m0n0wall] How many ports?
 Date:  Thu, 09 Jun 2005 15:29:13 +0200
On Thu, 2005-06-09 at 14:32, Kamil dot Wencel at hvbpensionsfonds dot de wrote:

> fxp0 = WAN -> connect to whatever links you up
> fxp1 = DMZ -> let's assume some reverse proxies, mail scanner gateways etc.
> fxp2 = ADMZ -> some real application servers ( 2nd Tier )
> fxp3 = BDMZ -> segment for database host ( 3rd Tier ) serving 2nd Tier to be protected from
outside and mischief from inside
> fxp4 = CDMZ -> segment for loghost / outband management
> fxp5 = LAN -> all internal clients

> I don't see how compromising a host in DMZ would compromise the whole system ?

Not in general, but if a host is compromised, it gives a nice platform
with a good connection to other hosts n the same segment.

By firewalling each server to its own segment that would reduce the risk
of compromising the next host.

> But once we are at it there is something with this setup bothering me :
> 
> Assuming I have got 13 usable IP addresses (63.64.65.129+) and I would like to have 
> the hosts in DMZ use their real IP Adresses and not to be NATed.

I guess you have a /28 net (16 adresses) - ok one bcast, one net and one
remote router adress is reserved, but anyhow ;-)

> WAN is connected to a xDSL Router 63.64.65.128
> 
> fxp0 = WAN -> 63.64.65.129
> fxp1 = DMZ -> mail ( 63.64.65.130 ), www reverse proxy ( 63.64.65.131 ), www ssl ( 63.64.65.132,
63.64.65.133 etc. )
> fxp2 = ADMZ -> NATed Hosts ( 171.16.1.0/24 )
> fxp3 = BDMZ -> NATed Hosts ( 171.16.2.0/24 )
> fxp4 = CDMZ -> NATed Hosts ( 171.16.3.0/24 )
> fxp5 = LAN ->  NATed Hosts ( 192.168.1.0/24 )
> 
> If I understood former discussions correctly I cannot use filtered bridge mode because I would
never again be
> able to connect to my DMZ hosts from my LAN. 

I don't know if its a problem, but I don't see why.

The NAT-problem is that you can't connect to a WAN-port (here eg
63.64.65.129:22) that if natted into a dmz or lan-host.

I would expect it to work, but have no idea if I'm wrong on that one.

> How am I supposed to set up something like that ?
> For testing purposes I set up something like that and tried to use 1:1 NAT to reach a DMZ box via
ssh.
> But it did not work out. Any ideas would be greatly appreciated.

That would be kille due to the NAT-problem

-- 
Henning Wangerin <mailinglists dash after dash 041101 underscore reply dash not dash possible at hpc dot dk>