Quote:> so essentially you have local net behind two firewalls (or did I
> misunderstand something?)
> that's kind of a convoluted set up. The best way would be to put the SQL
> server on the LAN and have the Linux box do port forwarding. This way, the
> web server would think it would be talking to the LAN's firewall, when in
> fact the firewall would forward everything to the SQL server. Obviously
> you'd want to allow only the web server to connect to that port, etc. The
> local machines would be able to connect to the SQL server since they are all
> on the local network.
I thought of doing this, but I was concerned of: my web server being used
to break into the SQL server. If the web server was broken (possible with
all those scripts, etc), there is a change that the SQL could system
fall. I figured that this could happen (remote chance, but possible) as
the SQL server can get packets from the web server, leaving the way for
buffer overruns, etc.
This is bad, but what is worse is that the SQL system would have full
access on the internal network. So from here, it's a fairly simple matter
to get to the fileserver, people who turn shares on, etc.
My reasoning on the three network system is that there is no way for
anything to come from the DMZ into the internal network. Doesn't matter
where it comes from, everything is rejected at the second firewall. That
way, if I lose the database, at least the file server is still protected.
I may be paranoid, but I figure why take the chance.
Quote:> You can find the information about it at www.linux.org/help
> BTW, what the hell does DMZ stand for?
DeMilitarized Zone - it's the no-man's land between north and south
Korea. I've heard it used in network terms quite a bit as a network
segment that is protected, but not locked up.
> > Hello,
> > I'm currently running a linux 2.0 box doing IP_masq to allow the
> > internal network to access the internet. Everything works great, I have
> > 30 people going through a 386sx/16. However, we are now adding a new
> > website that requires access to a MS SQL server running on NT. I want to
> > isolate the NT system as much as possible, but I have a number of
> > internal apps that also use the SQL server. So I've come up with the
> > following idea.
> > I define three networks, the internal network, the DMZ, and the internet.
> > The webserver (plus email server, etc) exist on the internet (on the
> > segment that is directly attached to the router). The SQL Server will go
> > in the DMZ.
> > In order for the web server to access the SQL server, I have a IP_Masq
> > box that denys all incoming connections (incoming from the internet)
> > except for those coming from the webserver over the SQL port. I allow it
> > to forward everything.
> > I set up another IP_Masq system that sits between the DMZ and the
> > internal network, and it lets anything through to the DMZ, and so to
> > either the SQL Server or the Internet.
> > So what I have is:
> > Internet ----- firewall #1 ----- DMZ ----- firewall #2 --- Internal
> > <- everything <- everything
> > -> only SQL port from IP -> nothing
> > First, does this sound like a good idea? Are there any holes in this type
> > of setup? Can anyone suggest any improvements.
> > If this looks good, would the systems on the internal network (win95/98
> > boxes) need to have any special network setup? I would think that making
> > the gateway the system between the internal network and the DMZ would