Hey gang, I'm currently learning my way through a Netfilter book and need to design a firewall with a DMZ. It basically involves two multihomed firewalls: one connected to the LAN, the other to the router, with a DMZ in the middle. Pretty standard.
A weird addition I came up with involves having several nics on the 'DMZ side' of either firewall. All machines within the DMZ would be multihomed, with two point-to-point networks (255.255.255.252 subnet) connecting it to both firewalls. I figured this was more secure; if a machine in the DMZ got owned, all the other machines are on they're own network and much harder to get to from the owned machine. If everything in the DMZ was simply connected by switch, I don't think it'd take long for a good hacker to discover and mess with the other machines as well (especially w/o the firewall to protect them). Although I'm new to netfilter I haven't found anything that will keep this idea from working. However it is a lot of setup, and I've never really heard of anyone doing this before (except maybe on small firewalls where the DMZ is a single port on a lone firewall). Further complicating things is the fact that there will be around a dozen machines in the DMZ, requiring multiple quad NIC's. Any feedback on this crazy approach would be appreciated, thanks!
