[prev in list] [next in list] [prev in thread] [next in thread]
List: fwtk-users
Subject: SV: VS: DMZ-Adresses
From: "Per Gustav Ousdal" <ousdal-ml () sircon ! no>
Date: 1999-11-17 8:06:25
[Download RAW message or body]
[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]
> > > All three components should have two networkinterfaces. We have a Class
> > > C Address A.B.C.0.
> > > I asume that paketfilter A gets an official IP-Adress on the
> > > internet-side from our provider.
> >
> > More than likely. But what do you mean that you have a Class C addr.? Do you have \
> > an official IP addr. already? Or do you have a range of official class C
> > addr.? Or are you
> > simply using a private class C range for the net today? And you will get
> > one in
> > addition from your ISP?
>
> We have a official registerd Class C address-field.
Ok. Then I would use (at least part of this) for the firewall + DMZ. And rather use \
private addr. on the inside (if needed).
> > > I thought of having private Adresses between paketfilter A and B. But to
> > > get e.g. through the tn-gw residing on the FWTK-host, I need to conntact
> > > that host. Can it have a private IP?
> >
> > Possible? Maybe, but in IMHO not a good idea ;) BTW: what kind packet filters \
> > will you use?
>
> I was thinking of linux ipchains.
OkeeDokee, then it would be *possible* to go with your initial idea, I think. But /me \
thinks the logging of IPChains is somewhat limited, so it might be a good idea to \
make sure the proxie will do a descent job of logging (i.e. use "real" addr. in the \
firewall/DMZ) on the traffic that make it through the filter.
I'd really like a second opinion on this though: Am I making sense or am I \
missleading this guy? (Like I said; I lack the hands on experience)
BTW: Your firewall sound identical to what I am planning: I want to use IPChains for \
packet filtering, and the FWTK as my proxy. I will implement this just for the fun of \
it, and to learn about firewalls in the process. If you didn't already think of this, \
here is another tip: It might be a good idea to run different OSes on your packet \
filters. This is becoz if one OS is vunrable to an attack, *maybe* the other one is \
imune so you *might* stop the attack on the second packetfilter. Wheras if you use \
the same OS on both and it has a bug, this big will be on both for sure, thus the way \
into your intearnal net will be wide open. I was thinking of useing Linux & OpenBSD \
as my OSes.
> > > Thanks for your help
> >
> > Don't know if I was of any help, hope so :)
>
> a lot
> Thanks to you and all answers on that topic. I at least now know which
> setting could work. After some thinking I hope I could decide for "the"
> solution fitting our network.
Yup! That is a *GOOD* idea: THINK before you implement a Firewall. You can NOT get \
security "out of the box", you have to think very carefully about what traffic to \
block and not. And then make sure you implement this correctly.
Good luck!
Per
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic