[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "'Jason J. Ellingson'" <jason at ellingson dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Logs
 Date:  Wed, 25 Aug 2004 09:52:39 -0400 
In my opinion, you should physically separate your LAN from your DMZ - two
switches and two NICs. With that said, Dual homing your servers (two IPs on
one NIC) is generally not a good idea. Having your servers straddle your DMZ
(two NIC connected to two switches) is also not a good idea. I think you are
opening yourself to security problems if you do not pay attention to detail
when it comes to securing the servers.

I think I remember have read posts about connecting the LAN and DMZ to same
physical media (same switch/hub) and get similar behavior. Did you search
the list archive?

_________________________________
James W. McKeand


-----Original Message-----
From: Jason J. Ellingson [mailto:jason at ellingson dot com] 
Sent: Wednesday, August 25, 2004 12:08 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Logs

I have a /28 IP block

WAN and DMZ are bridged (filtered bridge) LAN and DMZ are on same switch
(all my servers have both a 192.x.x.x IP and a real IP)

LAN has two rules:
FROM 192.x.x.x * TO * * ALLOW NOLOG
FROM * * TO * * BLOCK NOLOG

DMZ has similar rules:
FROM 209.x.x.x * TO * * ALLOW NOLOG
FROM * * TO * * BLOCK NOLOG

I added the two blocks without logging because the switch sometimes still
sends packets out all its ports... so the LAN port sees a DMZ packet on
occasion.

Here's the problem... m0n0wall is still logging the 209.x.x.x packets that
show up on the LAN port instead of not logging them like it should.

Same for DMZ... it logs seeing 192.x.x.x packets.

The packets ARE NOT trying to be routed... for example... LAN sees packets
from 209.x.x.1 to 209.x.x.2... It shouldn't try to do anything with it...
but it still logs it.  Any ideas?

I'm sure an option at some point is to actually use two switches and two
NICs in each computer... but in the meantime...

------------------------------------------------------------
Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
jason at ellingson dot com




---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch