Re: How to establish connections to the servers inside a DMZ?
From: prg (rdgentry1_at_cablelynx.com)
Date: 01/31/05
- Next message: UncleStoner: "My hostname not being registered via DHCP"
- Previous message: John Woodgate: "Re: Peterson's Death Sentence"
- Next in thread: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Reply: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 31 Jan 2005 14:25:18 -0800
buck wrote:
> On 30 Jan 2005 11:22:55 -0800, "prg" <rdgentry1@cablelynx.com> wrote:
>
[snip]
> One thing I'm not getting, though, is that if I don't alias the
> external interface, what in the world is going to make the
GW/firewall
> "hear" packets sent to 206.###.89.154 through .157 when its IP is
> 206.###.89.158?!
echo 1 > /proc/sys/net/ipv4/ip_forward
Set ip_forward=yes (or true or 1) in your distro's networking config
file to make it "permanent".
This makes this Linux box a router rather than just a leaf
host/destination.
> For example, when a user asks for HTTP, (s)he connects to .154. When
> asking for NNTP, the connection is to .155. The demo connects to
> .157. The domain name entered by the user must contain
> SERVER.DOMAIN.com in order to interact with the correct server.
The routing table tells where (which nic) to forward the packet. Once
it's out the router onto the correct segment/subnet, it's up to the
server to listen and respond to packets directed to it.
Only you can decide just how to set up a GW/firewall layout. The one I
gave you is the _most_ basic and is often not the best/most secure
setup. With as many services as you propose to run you might want to
consider something a bit more sophisticated.
You are also going to have to contend with stipping down your servers
to the minimum required to provide service. Not just no extra running
daemons, not even extra software on the machine's disk. Each needs to
be made a "bastion" host that has been hardened against attack.
The GW/firewall should similarly be trimmed of all excess software.
Unfortunately, I'm not aware of any one-stop descriptions of how to set
up such a design in detail. A couple of general approaches are
available.
http://www.linuxexposed.com/internal.php?op=modload&name=News&file=article&sid=493
http://www.linuxexposed.com/internal.php?op=modload&name=News&file=index
Just a couple of "easier" to understand alternatives.
Add to that, you mentioned wanting to perform traffic shaping to
maintain bandwidth control. Out-of-the-box tools are not user friendly
for the uninitiated. There are some tools include in some GW/firewall
packages.
You should probably start with a "floppy" Linux router/firewall distro
that will make configuring easier. Boo-boos here could be "not fun".
Along the way you will gain some knowledge and experience with Linux
networking tools and may later decide to DIY (at least in part).
http://www.freesco.org/?L=overview
http://www.viperlair.com/articles/soft_guide/networking/lnx_fw_1.shtml
http://www.shorewall.net/
http://www.smoothwall.org/
http://www.astaro.com/firewall_network_security/security_facts
. The one above is commercial.
Google:
http://www.google.com/search?num=50&hl=en&lr=lang_en&ie=ISO-8859-1&q=linux+router+dmz
Other terms should occur to you as you see which ones are most relevant
to your questions.
If your assets (internal LAN and external servers) are quite valuable
in any sense, then you really should pony up $ and have someone help
you get set up. Pick a layout/design that you understand and can
maintain afterwards. Your knowledge will grow as your needs
grow/change. Simply "properly" maintaining a good design may tax your
present knoledge as config changes and software upgrades proceed.
hth,
prg
email above disabled
- Next message: UncleStoner: "My hostname not being registered via DHCP"
- Previous message: John Woodgate: "Re: Peterson's Death Sentence"
- Next in thread: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Reply: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
