Very Computer

I have a Linux proxy firewall protecting my internal LAN.  IP forwarding and
some other networking functions have been removed from the kernel and all is
working fine.

I  now want to introduce a DMZ so was planning on putting a third network
card in my firewall and thus creating a another subnet for the DMZ.  The
problem is to access this network from my internal/external networks I need
to enable IP forwarding to route from these interfaces to the new one.

Is this the correct way do do things?  I was under the impression that IP
forwarding was to be kept off the a proxy firewall?

Help appreciated

Quote:> I have a Linux proxy firewall protecting my internal LAN.  IP forwarding
and
> some other networking functions have been removed from the kernel and all
is
> working fine.

> I  now want to introduce a DMZ so was planning on putting a third network
> card in my firewall and thus creating a another subnet for the DMZ.  The
> problem is to access this network from my internal/external networks I
need
> to enable IP forwarding to route from these interfaces to the new one.

> Is this the correct way do do things?  I was under the impression that IP
> forwarding was to be kept off the a proxy firewall?

With a DMZ, your box will not be a proxy/firewall, but a
router/proxy/firewall. If you do not want to act like this, you'll have to
get a new 2 ifaces box and act like this :

    Internet
        |
    New Box (ip_forward ok, filtering)
        |
        |-------- DMZ
        |
    Proxy/Firewall
        |
    Your LAN

Like this, your DMZ will only be a new perimeter outside your LAN and won't
hurt your LAN security. Moreover, the new box, with a good filtering ruleset
will protect DMZ and enhance Proxy/Firewall box security by limiting
incoming access.