On Mon, 2003-01-13 at 15:28, Mike wrote: > Hey guys Im deciding how I want to implement a DMZ for my company can anyone > tell me the pros and cons of my DMZs below? should I got with a routable > hosts in my DMZ and just filter out any port I don't want open or just port > forward over certain ports and use IP alias? > Hi Mike, Using NAT in your setup is usually a good way to save IP addresses. If you add one or more static routes to the Cisco router, you don't even have to add aliases to eth0 on the Linux firewall. It'll also save you from fiddling around with things like proxy arp and subnetting your IP address range, which could get pretty hairy. Performance-wise, you shouldn't notice any difference when NAT'ing IP addresses in all but the most serious setups (how many hosts are we talking about ? I am assuming anything between 1 to 32 DMZ hosts. And what bandwidth do you have available). One thing to watch out for with NAT is that certain protocols are difficult to firewall/NAT. The really important ones are fully covered in the kernel (FTP, IRC), and there are a bunch of additional nat/conntrack helpers in patch-o-matic to cover most protocols, but if you want to run some weird protocol behind a NAT box, you may encounter some difficulties. Again, things like HTTP, FTP, IRC, DNS, POP3, IMAP, etc. will work just fine with iptables+NAT. One possible disadvantage of NAT is that it may render your network topology a bit less clear/intuitive for some people... Hope this helps... Regards, Filip
