On Mon, 2004-10-04 at 13:41, Deepak Seshadri wrote: > Hello everybody, > > > > > > -------------------------- > > | | WAN > (x.x.x.58/28, default gateway - x.x.x.49) > > | FC2 e0 > |-------------------------- ISP > > LAN | | > > -----------------------| e1 | DMZ > > 10.0.1.x | e2 > |-------------------------- > > | | > > |-------------------------| > > I have 3 computers that need to have public addresses and their IP addresses > are: > > A - x.x.x.50/28, DG - x.x.x.49 > > B - x.x.x.51/28, DG - x.x.x.49 > > C - x.x.x.55/28, DG - x.x.x.49 > > Now the problem is I do not understand how I will give access to these PCs > from public without putting these PCs on a different subnet. Some firewalls > such as sonicwall do not require an IP for the DMZ port. You can add any > number of IPs behind the DMZ and it works. How is that done? Is it possible > with Linux? > > If I connect them on the DMZ interface, should they all be put in a > different subnet, probably with /29 bit mask? If I do it this way, should I > use iptables & DNAT or should/can I use just the "routing" in linux? > > If you have a better way to do it, please let me know. Any help will be > greatly appreciated. > > Thank you, > > Deepak Seshadri > > You have several different options. You do not have to put the public devices on a separate subnet but I would strongly recommend doing so. If the public has access, there is the chance that a public user can crack into your publicly exposed device. If the device sits on your internal network, there is nothing between the intruder and the rest of your private systems. I would also recommend using DNAT and iptables access control. This way, you can restrict what services are exposed to the public and hide the true addressing scheme. If you really wanted to get tricky, you could even alter the TTL so that only your publicly exposed services can go any further than your ISP's router. You will need to ensure that the public interface of the firewall responds to ARP requests for the other addresses. You do this by binding those addresses to the physical interface, e.g., ip address add x.x.x.58/28 dev eth0 brd + When it is released, ISCS (http://iscs.sourceforge.net) will do all of this from NAT to access control to ARP to even TTL automatically. Until then, you'll need to set it up manually or use a rule configurator like fwbuilder (http://www.fwbuilder.org). Good luck - John -- John A. Sullivan III Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevel.com
