[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    SV: VS: DMZ-Adresses
From:       "Per Gustav Ousdal" <ousdal-ml () sircon ! no>
Date:       1999-11-17 8:06:25
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

> > > All three components should have two networkinterfaces. We have a Class
> > > C Address A.B.C.0.
> > > I asume that paketfilter A gets an official IP-Adress on the
> > > internet-side from our provider.
> > 
> > More than likely. But what do you mean that you have a Class C addr.? Do you have \
> > an official IP addr. already? Or do you have a range of official class C
> > addr.? Or are you
> > simply using a private class C range for the net today? And you will get
> > one in
> > addition from your ISP?
> 
> We have a official registerd Class C address-field.

Ok. Then I would use (at least part of this) for the firewall + DMZ. And rather use \
private addr. on the inside (if needed).

> > > I thought of having private Adresses between paketfilter A and B. But to
> > > get e.g. through the tn-gw residing on the FWTK-host, I need to conntact
> > > that host. Can it have a private IP?
> > 
> > Possible? Maybe, but in IMHO not a good idea ;) BTW: what kind packet filters \
> > will you use?
> 
> I was thinking of linux ipchains.

OkeeDokee, then it would be *possible* to go with your initial idea, I think. But /me \
thinks the logging of IPChains is somewhat limited, so it might be a good idea to \
make sure the proxie will do a descent job of logging (i.e. use "real" addr. in the \
firewall/DMZ) on the traffic that make it through the filter.

I'd really like a second opinion on this though: Am I making sense or am I \
missleading this guy? (Like I said; I lack the hands on experience)

BTW: Your firewall sound identical to what I am planning: I want to use IPChains for \
packet filtering, and the FWTK as my proxy. I will implement this just for the fun of \
it, and to learn about firewalls in the process. If you didn't already think of this, \
here is another tip: It might be a good idea to run different OSes on your packet \
filters. This is becoz if one OS is vunrable to an attack, *maybe* the other one is \
imune so you *might* stop the attack on the second packetfilter. Wheras if you use \
the same OS on both and it has a bug, this big will be on both for sure, thus the way \
into your intearnal net will be wide open. I was thinking of useing Linux & OpenBSD \
as my OSes.

> > > Thanks for your help
> > 
> > Don't know if I was of any help, hope so :)
> 
> a lot 
> Thanks to you and all answers on that topic. I at least now know which
> setting could work. After some thinking I hope I could decide for "the"
> solution fitting our network.

Yup! That is a *GOOD* idea: THINK before you implement a Firewall. You can NOT get \
security "out of the box", you have to think very carefully about what traffic to \
block and not. And then make sure you implement this correctly.

Good luck!

Per


[prev in list] [next in list] [prev in thread] [next in thread]