[ previous ] [ next ] [ threads ]
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DMZ strategies and recommendations
 Date:  Fri, 23 Jan 2004 22:26:11 -0800
I am getting ready to move my servers behind the basic DHCP/NAT m0n0wall
configuration that I described in my Getting Started guide

In preparation I've read, well, an awful lot of posts about different ways
to put servers in a DMZ that is protected by the firewall, etc. I believe
that there are two different, competing approaches that are generally
described, and I would like to (A) pick one, preferably the *better* one,
and (B) document the process of setting it up.

For the purposes of discussion, here is the network diagram that I'm trying
to build (this is stolen from one of Bruce's posts a while back):

 +---------+	|
 | server1 +----|
 +---------+	|
 +---------+	|
 | server2 +----|   DMZ(OPT1)    WAN
 +---------+	|     +----------+
		|-----+ m0n0wall +-----> DSL modem and Internet
 +---------+	|     +----------+
 | server3 +----|          | LAN
 +---------+	|          | (clients use NATed IP)
		|          |

Servers in the DMZ must be reachable from both LAN and WAN, via the same
fully-qualified host name.

Number and type of services offered in the DMZ cannot be constrained
arbitrarily, i.e., simple port forwarding doesn't work, because many
systems might offer services on port 80. Visualize three web servers, two
mail servers and two DNS servers (primaries and backups), and you have the

It's OK if the solution requires more than one routable (public) IP address.

Servers in the DMZ need to be protected from the WAN by the firewall; only
explicitly allowed services will be permitted to be accessed by WAN
connections. Servers in the DMZ make make permitted outgoing connections
only (SMTP, NTP, DNS, etc.).

Systems on the LAN need to be protected from the DMZ, on the assumption
that it could be compromised. (This is probably taken care of by the NAT
for the LAN.)

I want to be able to do this with just one m0n0wall box.

The Approaches
The approaches that are advocated and explained on the list seem to boil
down to two different possibilities:

1. Bridge WAN and DMZ, and activate the filtering bridge. Use public IPs
assigned by ISP on the servers themselves. Add appropriate firewall rules.

2. 1-to-1 NAT. Map public IPs on WAN side to private IPs on DMZ side.
Convert servers to private IPs. Add DNS forwarder overrides to allow LAN
clients to access DMZ servers. Add appropriate firewall rules.

The Advocates
Bruce Mah, who contributed the filtering bridge, seems to advance solution
#1 in his post on 18-Nov-2003,
does not actually confirm that the occasional LAN clients on his network
can access the DMZ servers.

Manuel has commented once or twice that he sometimes wishes he could rip
out the bridging, and seems to recommend approach #2 as more
straightforward. There have also been comments about issues with the
bridging and NAT interacting incorrectly.

I would probably prefer to go with approach #1, since that should involve
zero changes to my servers, and seems simpler on the configuration side of
m0n0wall, too.

My Request
First, I'd like to get comfort around one solution or the other. Knowing
that one or the other will do what I want (which I believe to be a not
uncommon configuration), what any trade-offs or limitations might be,
performance or security or ease-of-maintenance issues. Any general advice
or information appreciated.

Second, I would love to get a brief walk through the m0n0wall interface for
the steps required to implement the selected solution (or both; if they
both work, I'll write up docs for each approach, along with any editorial
comments about which/why to choose, etc.). I don't need a lot, just enough
to figure out all the specific steps.

What I'll Give Back
Once I've got it working, I'll write documentation of a similar nature to
the Getting Started guide, that will explain the steps required in detail.

Thanks for any help you can give me!


Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>