[ale] Netgear wireless router as hub

Geoffrey esoteric at 3times25.net
Mon Mar 6 08:01:45 EST 2006


H. A. Story wrote:
> 
> Geoffrey wrote:
> 
>> H. A. Story wrote:
>>  
>>
>>> Sounds like you are trying to over work this.  First you can have a DMZ 
>>> on the LAN if you want and it can be on the same subnet. You just 
>>> forward all ports to that machine.  You truly don't have a DMZ unless 
>>> your ISP is providing you with more than one WAN IP address.
>>>    
>>>
>> I don't believe that's correct.  You can have a dmz by having multiple 
>> firewalls with different sets of rules.  Or, multiple nics in a firewall 
>> with different rules for each.  Simply, servers that provide services to 
>> the outside world (http, ftp..) sit in the dmz, whereas your internal 
>> network sits behind it, either on a different nic or behind another 
>> firewall.  The idea of the dmz is that the machines are protected, but 
>> they do provide services to the outside world.
>>
>> Pictures:
>>
>> internet <-> bastion firewall <-> dmz <-> internal network
>>                                    \_ webserver
>>
>>  
>>
> Sorry, My understanding of a DMZ is  public route able IP.  Not 
> forwarded ports from a firewall.  Found a few web pages that also 
> correct my thinking on this.  It had to have come form my Sonic Wall 
> days.  On the pro-units there is a DMZ port. When you have a T1 with 
> more than one WAN IP, you can plug into that port and have access to 
> those WAN IP addresses.  Needed when you have VPN protocols of 
> incompatible nature and you can't have those NATed.  Unlike older 
> Linksys that had a 5th port labeled DMZ that pretty much passed 
> everything to that port, if I remember correctly.  The device on that 
> port was still on the same LAN.
> 
>>> Next I 
>>> wouldn't put anything in the DMZ unless I was wanting to watch log files 
>>> grow, since I don't' have a green thumb.
>>> You should read Bob's box. :)  I really would NEVER suggest anyone 
>>> putting a server in the DMZ.
>>>    
>>>
>> I don't quite understand that statement.  The DMZ does sit behind a 
>> firewall of some type.  A typical network would have a bastion firewall 
>> between the internet and the dmz.  It would then have a choke firewall 
>> between the dmz and the internal network.
>>  
>>
> I was referring to the http,ssh,ftp,etc....  logs from all the port 
> scans.  Maybe I should pull the book out and re-read this part.
> 
>> What is the purpose of a dmz if nothing is there???
>>
>> Typically, I have a firewall that leads to a dmz.  In that dmz you might 
>> have a webserver.  The dmz subnet does not contain any routable ips. 
>> Web requests are simply forwarded to the webserver from the firewall.
>>
>> That firewall is then connected to another firewall that sits between 
>> the dmz and the local network.  The dmz and local network have different 
>> subnets, neither that are routable.  It's a perfectly workable solution.
>>
>>  
>>
> Doesn't that mean next too not between, Logically?
> 
>                                      /> (eth1)internal network
> Internet <-> (eth0) bastion firewall 
>                                      \> (eth2)DMZ "webserver"

The above is accurate in a single firewall implementation.  My preferred 
is to have a separate hardware firewall between the dmz and the internal 
network.

> 
> Sorry, re-reading this I see you could have it either way.   I am not a 
> fan of double NATing myself.  But it appears that the dual firewall 
> method preferred. Again, I would rather let some one else do the 
> web/email hosting if I was a large enough organization. 
> 
> More reading.  :)  All this RAID and Firewall reading..  I thought it 
> was a weekend.
> 
> http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 


-- 
Until later, Geoffrey

War never solved anything, well, except slavery, fascism and communism



More information about the Ale mailing list