At the outset, I'll say that I've RTFM (lots of times :), including all the
firewall and IPCHAINS FAQs/HOW-TOs, but it's a lot of information to absorb
and filter all at once (trying to figure out what's applicable to my
situation and what's not.) So can I get a gentle nudge in the right
direction here?
The deal: I had a two-NIC firewall up and running fine on RH6.2, homebuilt
kernel 2.2.17, doing masqing and firewall duty for a bunch of Linux, Unix,
and Windoze machines on my internal net. It's was cool, secure, and ran
fast and flawlessly using eth0 (connected to the internal net) and eth1
(connected to an xDSL line).
Not content to leave well enough alone, I added a third nic (eth2), trying
to set up a garden-variety DMZ for a dedicated web/ftp server box. This is
harder.:)
Here's an ascii-art version:
/^^\ (xDSL) 123.45.67.89 ------------------
/net/<-------------------->|eth1 |
\__/ | firewall |
192.168.0.1 |eth0 eth2| 192.168.10.1
------------------
---------------- ___ | |
| good eth0| <---|hub|---- \|/
| internal net | --- ------------------
|192.168.0.xxx | | | eth0 DMZ |
---------------- \|/ | ftp/webserver |
etc. | 123.45.67.90 |
------------------
Assume that my ISP will route all traffic for the two static external IPs
123.45.67.89 and 123.45.67.90 to me. Now, the questions:
1) Am I confused? Do I want eth2 in the firewall to have the external ".90"
address, and eth0 in the DMZ gets some other address (like what...?) Or is
this as I've diagramed it (two separate non-routable 192.168.x.y nets, web
server gets the second external address) the right way?
2) What are the netmasks for eth0 and eth2 in the firewall...just plain old
255.255.255.0? And in the DMZ, what do I specify the gateway address as?
The address of the firewall's eth0, or eth2? Or both?
3) What are the MINIMUM routing rules necessary in the firewall to get
traffic that is sourced from the internal net over to the DMZ box? (Don't
worry about the reverse, and don't worry about security for the DMZ for
now...I have to have it working at all before I can worry about protecting
it.:)
Many, many TIA for help here. I feel like I'm missing something pretty
basic (not surprising, given the scattershot nature of my networking
knowledge...) Once I get everyone's IPs sorted out I can tell you who can
ping whom and we can take this exercise to the next level...
cheers,
David
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
