[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] newbie question
 Date:  Wed, 31 Aug 2005 16:21:06 -0400
On 8/31/05, Chris Marcellin <canus at teksavvy dot com> wrote:
> 205.x.137.117 : static ip address for the wan link
> 205.x.140.116 /30, my subnet
> what i would like to do is this:
> have a DNS which is using a public domain name example.com, web and mail
> server and clients
> after doing some research on monowall's maillist, i think i have come to the
> conclusion that the best solution is a dmz which will have the DNS, mail and
> web servers, and the lan hosting my clients

Overall I'd agree with this, but unless you really, really want to for
some reason, I'd avoid using your own DNS servers.  You typically get
free and solid DNS with domain name registration (and if not, transfer
to a registrar that does offer this).  Not to mention they'll give you
a primary and secondary, and if they do things right they'll be on
separate /24 networks, at a minimum, and maybe in two different
physical locations.  Unless you run a serious NOC yourself, I wouldn't
consider hosting your own DNS.

> if you agree on the dmz, should i use 1:1 nat for my servers, and i guess
> that i would have to also do port forwarding for 80, 25, 110, 443, 53, 22
> right? or firewall rules, or both 

If you have more than two servers to open ports to, you may want to
use Server NAT instead of 1:1.  Still need appropriate firewall rules
in either case.  NAT allows the public to private translation, and
after that is applied, the firewall rules dictate what traffic can or
cannot pass.