Re: [m0n0wall] DMZ question

From:	"Bart Smit" <bit at pipe dot nl>
To:	"Jim McBeath" <monowall at j dot jimmc dot org>
Cc:	"Assinatura de Listas" <assinarlistas at yahoo dot com dot br>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] DMZ question
Date:	Sat, 20 Dec 2003 00:13:12 +0100 (CET)

It all hinges on your definition of "DMZ".

This is what I would say:

>> brigde with none
>
> right

No, bridge with your WAN interface.

>> and enter some ip address in the range of my m0n0wall's lan nic,
>> right?
>
> No, [...]

Since you're bridging the interface, you don't assign it an IP address.

Now your DMZ can accomodate machines in public (WAN) address space so
you can place your servers behind your firewall without having to
reconfigure a thing on them.

And, straight from the m0n0wall's DMZ config page:

"Note:
be sure to add firewall rules to permit traffic through the interface.
Firewall rules for an interface in bridged mode have no effect on
packets to hosts other than m0n0wall itself, unless "Enable filtering
bridge" is checked on the Diagnostics: Advanced functions page."

So you'll want to enable that!

--B