On 9/23/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
> So like this Chris, is this correct?
>
> Internet
>   |
>   |
> MonoWall1
>   |  |(Opt1)IP = X.X.X.X /27
>   |  |
>   |  |
>   |  ---------------DMZ Servers with Real World IP's X.X.X.X /27
>   |
>   |
>   |
> Private LAN(192.168.1.0 /24)
>

that's correct.


>
> And the IP of the LAN interface on MonoWall1 is 192.68.1.1 /24
>

yes



>
> Will I still be able to access the servers in the DMZ from the Private LAN?
>

yes, and actually since you're putting public IP's on the servers, the
situation Don described does not apply.


> Will I still be able to NAT to servers in the Private LAN from the
> Internet?
>

yes


> Will I still be able to NAT to servers in the  DMZ from the Internet?
>

well in that setup you have routed public IP's on your DMZ, so no, no
need to NAT.



> Does having  2  MonoWalls setup like in my first picture make anything
> any more secure? Personally I think it makes thing more complex than
> need be.
>

no.  It definitely makes things more complex than need be.  If you had
two completely different firewalls (i.e. m0n0wall on one and something
else on the other) you may be able to argue that it's more secure
since if one of them had some sort of issue that allowed someone to
get around one, chances are they aren't going to find something to get
around both.  But, that's unnecessary complexity, an unnecessary
second point of failure, is extremely unlikely to be exploitable, and
won't do anything for your most (or only, really) likely source of
compromise - the stuff you're allowing in.

-Chris