[ale] Netgear wireless router as hub
Geoffrey
esoteric at 3times25.net
Mon Mar 6 08:01:45 EST 2006
H. A. Story wrote:
>
> Geoffrey wrote:
>
>> H. A. Story wrote:
>>
>>
>>> Sounds like you are trying to over work this. First you can have a DMZ
>>> on the LAN if you want and it can be on the same subnet. You just
>>> forward all ports to that machine. You truly don't have a DMZ unless
>>> your ISP is providing you with more than one WAN IP address.
>>>
>>>
>> I don't believe that's correct. You can have a dmz by having multiple
>> firewalls with different sets of rules. Or, multiple nics in a firewall
>> with different rules for each. Simply, servers that provide services to
>> the outside world (http, ftp..) sit in the dmz, whereas your internal
>> network sits behind it, either on a different nic or behind another
>> firewall. The idea of the dmz is that the machines are protected, but
>> they do provide services to the outside world.
>>
>> Pictures:
>>
>> internet <-> bastion firewall <-> dmz <-> internal network
>> \_ webserver
>>
>>
>>
> Sorry, My understanding of a DMZ is public route able IP. Not
> forwarded ports from a firewall. Found a few web pages that also
> correct my thinking on this. It had to have come form my Sonic Wall
> days. On the pro-units there is a DMZ port. When you have a T1 with
> more than one WAN IP, you can plug into that port and have access to
> those WAN IP addresses. Needed when you have VPN protocols of
> incompatible nature and you can't have those NATed. Unlike older
> Linksys that had a 5th port labeled DMZ that pretty much passed
> everything to that port, if I remember correctly. The device on that
> port was still on the same LAN.
>
>>> Next I
>>> wouldn't put anything in the DMZ unless I was wanting to watch log files
>>> grow, since I don't' have a green thumb.
>>> You should read Bob's box. :) I really would NEVER suggest anyone
>>> putting a server in the DMZ.
>>>
>>>
>> I don't quite understand that statement. The DMZ does sit behind a
>> firewall of some type. A typical network would have a bastion firewall
>> between the internet and the dmz. It would then have a choke firewall
>> between the dmz and the internal network.
>>
>>
> I was referring to the http,ssh,ftp,etc.... logs from all the port
> scans. Maybe I should pull the book out and re-read this part.
>
>> What is the purpose of a dmz if nothing is there???
>>
>> Typically, I have a firewall that leads to a dmz. In that dmz you might
>> have a webserver. The dmz subnet does not contain any routable ips.
>> Web requests are simply forwarded to the webserver from the firewall.
>>
>> That firewall is then connected to another firewall that sits between
>> the dmz and the local network. The dmz and local network have different
>> subnets, neither that are routable. It's a perfectly workable solution.
>>
>>
>>
> Doesn't that mean next too not between, Logically?
>
> /> (eth1)internal network
> Internet <-> (eth0) bastion firewall
> \> (eth2)DMZ "webserver"
The above is accurate in a single firewall implementation. My preferred
is to have a separate hardware firewall between the dmz and the internal
network.
>
> Sorry, re-reading this I see you could have it either way. I am not a
> fan of double NATing myself. But it appears that the dual firewall
> method preferred. Again, I would rather let some one else do the
> web/email hosting if I was a large enough organization.
>
> More reading. :) All this RAID and Firewall reading.. I thought it
> was a weekend.
>
> http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
--
Until later, Geoffrey
War never solved anything, well, except slavery, fascism and communism
More information about the Ale
mailing list