[ previous ] [ next ] [ threads ]
 
 From:  Jason J Ellingson <jason at ellingson dot com>
 To:  =?us-ascii?B?Q2hyaXMgQnVlY2hsZXI=?= <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  =?us-ascii?B?UmU6IFttMG4wd2FsbF0gTG9ncw==?=
 Date:  Wed, 25 Aug 2004 15:23:01 -0500
I have no need for a LAN.  The firewall is at a datacenter and is protecting my web and mail
servers.  There is nothing else there.

The only reason I use the LAN port at all is because the PPTP in m0n0wall shows up on the LAN
side.... which cannot communicate with the DMZ (because it is bridged to the WAN)... so the servers
need to be on the LAN port as well for me to talk to them.

Keep it coming guys... I know we can figure something out.  And I really do appreciate the help!

- Jason

Original Message -----------------------
On Wed, 25 Aug 2004 09:52:39 -0400, James W. McKeand <james at mckeand dot biz> wrote:
> In my opinion, you should physically separate your LAN from your DMZ - two
> switches and two NICs. With that said, Dual homing your servers (two IPs on
> one NIC) is generally not a good idea. Having your servers straddle your DMZ
> (two NIC connected to two switches) is also not a good idea. I think you are
> opening yourself to security problems if you do not pay attention to detail
> when it comes to securing the servers.
> 
> I think I remember have read posts about connecting the LAN and DMZ to same
> physical media (same switch/hub) and get similar behavior. Did you search
> the list archive?
> 

Not addressing the question at hand, but dual homing all your hosts on
your DMZ and LAN, whether it's 2 NIC's or two IP's on one NIC, negates
one of the main purposes of having a DMZ in the first place -
protecting your LAN if a publicly accessible hosts gets compromised. 
I wouldn't recommend doing that under most any circumstance.  2 NIC's
is better than two IP's on one NIC, but not by a whole lot.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch