About Firewall configuration
aragonx at dcsnow.com
aragonx at dcsnow.com
Tue Apr 3 00:37:52 UTC 2007
> Hello,
>
> If all of server are NOT DMZ, then they can be assigned ( used ) Private
> IP ?
Okay, DMZ adds a layer of complexity but really has no bearing on the
private IP range.
What is it you are trying to accomplish?
Your DMZ can be behind your NAT box but does not have to be. Some DMZ
setups look something like this:
Internet
|
|
|
v
Border router
| |
| |
| |
v v
DMZ1 DMZ2 DMZ3 ...
|
|
|
v
Internal firewall
| |
| |
| |
v v
Computer1 Computer2 Computer3
So, in this case, you can use either your border router or your internal
firewall as your NAT box. Either will do but the border router might be a
better choice.
Of course your DMZ boxes should be single tasked. Therefore, each should
only have 1 or so ports that are accessible from either your internal
network or the Internet. There is much much more to this though. Like,
your DMZ boxes should not be allowed to initiate connections, especially
to your internal network. There should be no connections coming in to the
internal firewall from the Internet or the untrusted network. Etc...
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the fedora-list
mailing list