Re: Is this a wise configuration?
- From: Grant <bugsplatter@xxxxxxxxx>
- Date: Sat, 29 Apr 2006 11:21:07 +1000
On Fri, 28 Apr 2006 14:34:28 -0700, None <none@xxxxxxxxxxx> wrote:
Here is my situation:
A have a single DSL connection to the internet at my house. This
connection goes through a router, supplied by the ISP. Behind this
router is my LAN. I enjoy setting up various different servers (web,
news, irc, bbs, etc.), and would like to be able to access them from the
internet. With this many "test" servers running, however, there are many
potential security threats. I would like to create a separate "zone" on
my network, autonomous from the private LAN,
Generally referred to as "DMZ" when you search for firewall info
Here is my plan:
Configure the DSL router to foward the ports needed for the various
servers to a single computer. This computer acts as a firewall between
the two network zones.
It may not work very well, while I don't run DMZ at the moment, I
have prepared for that like this:
network topology
`````````````````
---------------- ------------ LAN
( ) Phone | | Machines
( Big Bad Internet )--------| ADSL Modem |
( ) Line | | 100-Base-T
---------------- ------------ Switch -----
| -------| |
Public IP | X_WORLD | -----
| | -----
------------- | --| |
| ppp0/eth2 | --- | -----
| | | \ |-- -----
X_LOCAL2 <-----|eth1 eth0|-----|/ /|-----| |
192.168.2.0/24 | | | \ |-- -----
100-Base-T | Firewall | --- | -----
(spare localnet) ------------- | --| |
| -----
| -----
-------| |
X_LOCAL -----
192.168.1.0/24
Firewall box: <http://bugsplatter.mine.nu/test/boxen/deltree/>
The firewall examines the destination port on
incoming packets, and based on that, DNAT's the address to the
appropriate physical server. (For example, redirect all packets destined
to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).
Sure, but as someone else pointed out, you're doing a double NAT,
asking for trouble.
What I do is configure the ADSL modem to run in 'bridge' mode,
and run PPPoE on the firewall box --> I have complete control
over the link to Internet and what traffic hits localnet. (No
public access to localnet boxen, for example).
Hopefully, this will behave as expected.
It's fun stuff to play with. Take care not to be an unwitting
proxy though.
As a "networking neophyte", I would like to ask if this is a smart way
to do this. Is there an easier, or more efficient alternative? Any other
comments?
Couple years ago when I switched to ADSL I ran modem like you want
to, poking holes through the modem's firewall/NAT. As I climbed the
learning curve and gained confidence I switched modem to bridge mode
and not looked back.
See also: <http://bugsplatter.mine.nu/junkview/>
Grant.
--
Memory fault -- brain fried
.
- References:
- Is this a wise configuration?
- From: None
- Is this a wise configuration?
- Prev by Date: Re: Is this a wise configuration?
- Next by Date: Re: Is this a wise configuration?
- Previous by thread: Re: Is this a wise configuration?
- Next by thread: Re: Is this a wise configuration?
- Index(es):
Relevant Pages
|
|
