Re: Is this a wise configuration?
- From: Robert <noone@xxxxxxxxxxxxxxx>
- Date: Fri, 28 Apr 2006 21:59:02 -0400
On Fri, 28 Apr 2006 14:34:28 -0700, None wrote:
Here is my situation:
A have a single DSL connection to the internet at my house. This
connection goes through a router, supplied by the ISP. Behind this
router is my LAN. I enjoy setting up various different servers (web,
news, irc, bbs, etc.), and would like to be able to access them from the
internet. With this many "test" servers running, however, there are many
potential security threats. I would like to create a separate "zone" on
my network, autonomous from the private LAN, to place these servers in
in order to minimize the security risk to the rest of the LAN. (If one
of the servers becomes compromised, the damage is isolated to the
"server zone", thereby preventing further attacks to the private LAN). I
would like the private LAN to be invisible to the "server zone", but
still have access to the internet through the DSL router.
This is a DMZ setup and it works nicely if setup properly and firewalled
correctly
Here is my plan:
Configure the DSL router to foward the ports needed for the various
servers to a single computer. This computer acts as a firewall between
the two network zones. The firewall examines the destination port on
incoming packets, and based on that, DNAT's the address to the
appropriate physical server. (For example, redirect all packets destined
to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).
OK, not sure why everyone thinks they need to use 10.x.x.x for everything
but I would suggest that you use 192.168.x.x for your network. You are
never going to use all of those 10.x.x.x addresses, heck for that matter
you are never going to use all the 192.168.x.x addresses either at home.
Ipatbles will be able to handle this nicely. I do something like this
here at my home and it works wonderfully.
Also, in order to facilitate the "zone separation", this firewall will
drop all packets coming from the "server zone", destined to the private
LAN, and vice versa.
Not a good idea. Dropping NEW packets from the 'server zone' would be
good but if you want to work on your 'server zone' from your 'private
zone' you shouldn't drop those packets. I would suggest allow what is
needed (ssh, ftp, web) and drop the rest. You will have to decide what
you want to allow through.
I will also configure the firewall to SNAT all packets coming from the
"server zone", destined to the internet, with the private LAN IP address
of the firewall.
That you will need to do if you expect the answers to come back.
Hopefully, this will behave as expected.
If configured properly then yes it will. I do something similar to this
here. I have 3 network setup. 1- My network with my machines and servers
for the other networks. 2- Families network were everyone else is on and
can surf the web as needed. 3- Sons PS2 network (so called DMZ). Man is
there a lot of traffic on that one.
--
Regards
Robert
Smile... it increases your face value!
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
.
- References:
- Is this a wise configuration?
- From: None
- Is this a wise configuration?
- Prev by Date: Re: Is this a wise configuration?
- Next by Date: How to publish a new TCP congestion control module ?
- Previous by thread: Re: Is this a wise configuration?
- Next by thread: How to publish a new TCP congestion control module ?
- Index(es):
Relevant Pages
|
