Hi Jan! On 11/27/01, Benjamin Stocker posted nearly the same question to this list (read these threads to get into the topic): http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0082.html http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0093.html Question 1) It is no problem to do nat both for the DMZ and for your internal net. Configure your staff like this: Provider | ext-IP-Range: 1.1.1.224-239 (NIC_0) NAT +----+-----+ | ¦ dmz-IP: 192.168.1.1 (NIC_1) | fw +------- DMZ 192.168.1.2-x (Gateway: dmz-IP) +----+-----+ | int-IP: 192.168.0.1 Intranet: 192.168.0.2-255 (Gateway: int-IP) This is a very robust setup. You do not lost the advantage of a DMZ (an attacker who broak into a Computer on the DMZ don't has easy access to the internal machines). If you need an extra level of security, you may also put a second firewall between fw1 and the Intranet. Question 2) You have to split the class C-Net into 2 Networks with 128 IPs each and route the traffic. See: http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0081.html Ulrich Searching for an archive of the most important Security Mailing-Lists? http://www.der-keiler.de On Wednesday 13 February 2002 04:00 pm, Jan Stifter wrote: > hello, > I have two questions regarding the configuration of network > interfaces: > > Question 1) > ----------- > > Provider > > | ext-IP > > +----+-----+ > > | ¦ dmz-IP > | fw +------- DMZ > > +----+-----+ > > | int-IP > > Intranet > > My Provider gives me an official address range 1.1.1.224-239. > I would like to use for the intranet the 192.168.x.y range. > > So I thought, that I would give the dmz-IP the address 1.1.1.224, the > int-IP 192.168.0.1. > > Can I use for the ext-IP also 1.1.1.224 and configure the firewall > somehow as a bridge? If yes, where do I find more information > regarding this issue (ifconfig, route commands, kernel configuration)? > If no, what other options do I have? > > Question 2) > ----------- > Assume that I would like to build a firewall inside of a larger > network: > > 1.1.1.0-255 (excluding .224 - .239) > > eth0| ext-IP > +----+-----+ > > | ¦ dmz-IP > | fw +------- DMZ: 1.1.1.224-239 > | > | |eth1 > > +----------+ > > So, outside, towards ext-IP, I have all IPs 1.1.1.0-255 excluding .224 > - .239, in the DMZ, I have IPs 1.1.1.224-239 > > From the point of network configuration, this should work, but I just > don't know how to set up the ifconfig and route commands in order to > be able to configure this correctly. > > Thanks for reading this! > Any hints are greatly appreciated > > Jan ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.