Firewall for DMZ: LRP or...?

Firewall for DMZ: LRP or...?

Post by Alex Bernar » Sun, 26 Nov 2000 04:00:00



Objective: Something between my DMZ and the NET which supports multiple
external IPs and does some fw/filtering.

Question: I would like to setup a linux router/firewall to protect a DMZ
(which serves DNS, www, ftp and mail for my domain).  I am reading
several HOWTOs (Bridge+Firewall, adv-routing, ipchains, etc.), but was
wondering if LRP (linux routing project) would do what I need, or please
point me in the right direction for my situation.  In the topology below
I can do everything below the router, I'm just confused as to exactly
what I need to use for the router itself (or is it a bridge?).

Situation:  I have three consecutive static IPs (and as many as 5
dynamic IPs) from my ISP.  Two of the statics are used for the
(external) DNS/web servers and the third for the firewall/proxy machine
(for private LAN).  The linux box (firewall/router) has only two NICs.  
Will I need more NICs and another static IP for the LRP box, or am I on
the right track looking into bridge+firewall instead?

Topology (proposed):

            ( ISP )
               |
        [ cable modem ]
               |
           ---------
           | fire  |
           | wall  | <-- LRP?
           |/router|
           ---------
               |
          [ DMZ hub ]
               |
    -----------------------
    |          |          |
---------  ---------  ---------
|       |  |  ns2  |  | fire- |
| ns1   |  |  www  |  | wall  | <-- DMZ (111.222.333.444-446,
| mail  |  |  ftp  |  |/proxy |          cnames.example.com)
---------  ---------  ---------
                          |
                     [ LAN hub ]
                          |
                     -----------
                     |         |
                ---------  ---------
                |       |  |       |
                |  ws1  |  |  ws2  | <-- Private LAN (10.0.0.1-x)
                |       |  |       |
                ---------  ---------

Thanks very much for any hints,
Alex Bernard

 
 
 

Firewall for DMZ: LRP or...?

Post by Rob MacGrego » Mon, 27 Nov 2000 04:00:00



> Objective: Something between my DMZ and the NET which supports multiple
> external IPs and does some fw/filtering.

> Question: I would like to setup a linux router/firewall to protect a DMZ
> (which serves DNS, www, ftp and mail for my domain).  I am reading
> several HOWTOs (Bridge+Firewall, adv-routing, ipchains, etc.), but was
> wondering if LRP (linux routing project) would do what I need, or please
> point me in the right direction for my situation.  In the topology below
> I can do everything below the router, I'm just confused as to exactly
> what I need to use for the router itself (or is it a bridge?).

> Situation:  I have three consecutive static IPs (and as many as 5
> dynamic IPs) from my ISP.  Two of the statics are used for the
> (external) DNS/web servers and the third for the firewall/proxy machine
> (for private LAN).  The linux box (firewall/router) has only two NICs.
> Will I need more NICs and another static IP for the LRP box, or am I on
> the right track looking into bridge+firewall instead?

Don't think LRP will handle this, but I know that IP Filter does.  Wander
over to www.openbsd.org and order a copy of OpenBSD.  IP Filter can be found
at http://coombs.anu.edu.au/~avalon/ip-filter.html.

You can use the IP Filter box with 3 NICs to provide your DMZ securely with
one less box.

--
  Rob MacGregor (MCSE) [PGP key ID 0x1F5239DD]
      The light at the end of the tunnel is an oncoming dragon.