Confused and hungry (Firewall config question)

[static]

This is sort of a networking question, but seeing as it has to do with my firewall, I put it here (mods (OF WHICH I AM NOT :( ) feel free to move this if need be)

 

 

[*]SMC-Ultra ISA pnp 10Mbit (eth2 {DHCP client} - Internet)

 

[*]Intel EPro 100 (eth0 {192.168.1.1} - LAN)

 

[*] " " (eth1 {192.168.1.10}- DMZ)

 

Do I give eth1 an internal IP (192.168.1.0) or an IP on the same segment as the IP eth2 will receive via DHCP from the ISP? Note I won't know what segment it'll be! How will the servers know where to go? They'll need IP's that are static and internet like, no? I have never run a server outside a secure, internal network!! (RCMP network specialist :roll: ) Or is the DMZ eth1 interface transparent to the servers and the traffic just gets routed through my firewall (and out eth2)?

 

On a side note (I'd like to know the above anyway) - should I use (do you recommend) NAT and port forwarding instead of giving the servers real IP's?

 

Thanks again for helping me clear this up!

Frustrated in Ottawa

[paul]

yes give eth1 a static ip on a private subnet

192.168.1.1 is what I use

eth0 is a public IP 202.27.218.97

eth2 is on a private subnet 10.0.0.1

 

if you are using dhcp on your dmz (eth2) be sure not make eth1 on the same subnet ...

if you start up eth2, then ifconfig eth2 will give you the assigned IP, hopefully not in 192.168.1.0/24 subnet

 

NAT is far more secure than using public IP's on your network, not to mention cheaper.

and if any body visits (like many people do in my house) you can easily add them into your network ... give them a 192.168.1.0/24 address, and make the gateway 192.168.1.1 ....

 

8)

[static]

But I thought you can't use dhcp for the DMZ 'cause it'll make it hard for clients to find it...

[paul]

yes you ... but you have to make sure the the DMZ has been assigned an IP before you start IPtables

 

if you use shorewall to configure iptables (I do) you set up

dmz  eth2  detect,noping,routestopped #or whatever other params you want

but if your IP hasn't been assigned yet .. it won't work

[static]

Not sure what you mean... the DMZ is eth1. The world won't have trouble connecting if the IP's different? Who updates the internet's dns servers? I don't really want to use dhcp for the DMZ, I'd rather use static IPs. But do those static IPs have to be local private ones or public usable internet ones? Am I correct in assuming that I could give the eth1 DMZ interface a private IP like 10.10.10.1, the server an IP on the same subnet (private) 10.10.10.2 and use port forwarding

eg.

64.12.123.7 (eth2, by dhcp - internet) sees a request on port 23 for ftp

sends it to 10.10.10.2 port 23

And you say don't put the server in the same subnet, eh? OK, so my LAN will use the default gateway 192.168.1.1 to find the 10.10.10.0 segment, correct?

 

Thanks, this is getting clearer if I'm right.

[paul]

ok so here are some options for you

 

eth0 = lan (192.168.1.1)

eth1 = dmz (10.0.0.1)

eth2 = wan (202.0.0.202)

 

all ip's are static (he he ... funny :-P )

you put a computer on your dmz, and give it an ip 10.0.0.2 with subnet 255.255.255.0 and gateway 10.0.0.1 ... cool?

 

now when you want to forward packets to a server (webserver say) you would do something like this

DNAT 202.0.0.202 10.0.0.2 80 -

and it will work sweet as !!!

 

or

 

you put a computer on your dmz, and give it an ip 202.0.0.203 with subnet 255.255.255.192 and gateway 10.0.0.1 ... cool?

 

now when you want a to forward packets to a server you would do something like this

step 1 .. proxyarp

202.0.0.203 eth1 eth0 no-haveroute

step 2 .. firewall config

ACCEPT 202.0.0.203 - 80 -

 

now with eth0 (the lan)

turn on masq'ing and put computers on your lan with ip address 192.168.1.2-254 with subnet 255.255.255.0 and gateway 192.168.1.1

 

I have all of these options setup at home ... and they work sweet as !!!!

 

here's a few interesting notes tho'

1. IP address (and hardware address) are populated throughout the world using arp cache .. (ARP = Address resolution protocol .. incase you didn't know) ... it works like this

 

my firewall caches all IP info for my network.

My ISP caches all IP info for its network (including me)

the auckland gateway that my ISP uses caches all IP info for its network (including all my ISP, which includes me)

the NZ gateway caches all IP info for its network (including all Auckland gateway, all my ISP, all me )

...... and so on ... and so on ... etc etc

cool?

 

if you have to replace the NIC on a machine that uses a public IP address, it can take some time for the arp cache to update (normally a few hours )

 

so if make changes (as I'm sure you are while building this network) make the changes slowly, and allow time for arp cache to filter.

[static]

all ip's are static (he he ... funny)

Yeah, I picked my name based on the fact that I don't change ;)

 

Thanks, btw. And yeah I know ARP, and RARP, and GRE, OSPF, RIP, IP, RPC, IPX, IPSec, etc etc etc my only issue was not understanding how a server could have a dhcp address...