[ previous ] [ next ] [ threads ]
 
 From:  Jason J Ellingson <jason at ellingson dot com>
 To:  =?us-ascii?B?SmFtZXMgVy4gTWNLZWFuZA==?= <james at mckeand dot biz>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  =?us-ascii?B?UkU6IFttMG4wd2FsbF0gTG9ncw==?=
 Date:  Wed, 25 Aug 2004 09:45:46 -0500
My reason is as follows:

1) I need to use real IPs for all my servers (8 of them)
2) Only way to do this is to either bridge the WAN to DMZ or to use 1:1 Server NAT
3) Can't use 1:1 Server NAT because it breaks some of our software (especially my mail server)
4) All the computers have dual NICs...  I don't multihome on a single NIC...
5) This means I should use 2 switches... agreed... but I haven't had the time to identify which NIC
is physically using which port on the switch.... and they're about 900 miles away from here (GRIN)

All I really wanted was a filtering bridge.  So I could have just connected to the DMZ and never use
the LAN, but then I can use m0n0's VPN to connect to the servers as you can't connect to the DMZ
from the LAN side (where PPTP ends) while in bridged mode.

Whew... got all that?  Heh...

- Jason


Original Message -----------------------
In my opinion, you should physically separate your LAN from your DMZ - two
switches and two NICs. With that said, Dual homing your servers (two IPs on
one NIC) is generally not a good idea. Having your servers straddle your DMZ
(two NIC connected to two switches) is also not a good idea. I think you are
opening yourself to security problems if you do not pay attention to detail
when it comes to securing the servers.

I think I remember have read posts about connecting the LAN and DMZ to same
physical media (same switch/hub) and get similar behavior. Did you search
the list archive?

_________________________________
James W. McKeand


-----Original Message-----
From: Jason J. Ellingson [mailto:jason at ellingson dot com] 
Sent: Wednesday, August 25, 2004 12:08 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Logs

I have a /28 IP block

WAN and DMZ are bridged (filtered bridge) LAN and DMZ are on same switch
(all my servers have both a 192.x.x.x IP and a real IP)

LAN has two rules:
FROM 192.x.x.x * TO * * ALLOW NOLOG
FROM * * TO * * BLOCK NOLOG

DMZ has similar rules:
FROM 209.x.x.x * TO * * ALLOW NOLOG
FROM * * TO * * BLOCK NOLOG

I added the two blocks without logging because the switch sometimes still
sends packets out all its ports... so the LAN port sees a DMZ packet on
occasion.

Here's the problem... m0n0wall is still logging the 209.x.x.x packets that
show up on the LAN port instead of not logging them like it should.

Same for DMZ... it logs seeing 192.x.x.x packets.

The packets ARE NOT trying to be routed... for example... LAN sees packets
from 209.x.x.1 to 209.x.x.2... It shouldn't try to do anything with it...
but it still logs it.  Any ideas?

I'm sure an option at some point is to actually use two switches and two
NICs in each computer... but in the meantime...

------------------------------------------------------------
Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
jason at ellingson dot com




---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch