LeRoy Cressy on Thu, 30 Jan 2003 06:30:37 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] dsl questions


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is true that all of my internal stuff is on a private network but I set up specific rules for each port that I want to translate. A blanket Masquerade rule rule increases risk.

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
- --dport 20   -j SNAT --to $RealIP

Eugene Smiley wrote:
I believe that what LeRoy is doing is performing masquerading, where all the
IP's behind the Linux box (including the DMZ) all have private IPs i.e.
192.168.1.0.

Considering that you have a Linksys router (which performs NAT firewalling)
already, why aren't you using it at your entry point? Just because you get 5
IP's doesn't mean that you have to use them. Just place it before your
switch.

Like LeRoy, I'd be very nervous about not having anything between the public
and my boxes.

Most FAQs/HOWTOs you read will warn against running any services on a
firewall box if you end up using a linux box as a masquerading or NAT
firewall. Given that some people opt to use an old PC, i.e. that Pentium 100
buried in the parts closet.

Eugene

-----Original Message-----
From: plug-admin@lists.phillylinux.org
[mailto:plug-admin@lists.phillylinux.org]On Behalf Of epike@isinet.com
Sent: Wednesday, January 29, 2003 5:40 PM
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] dsl questions

hi

thanks for the input.

the 3 hosts are actually: 2 linux boxes and
a linksys firewall (with the 802.11 antenna).
that leaves me with 2 linux boxes to protect.
more work but not too bad.

i'll try to implement a DMZ with the 2 linux
boxes as a starting point....by the way
does your firewall also serve something?
I try to minimize the number of machines and
I dont have a lot of IP numbers either.

In my case i'll try to setup the firewall server as a
regular web server also, so one its NIC would
show up as an address inside the DMZ is that possible?

jondz

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug




- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <


gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+OQohP+/m2oUBr+oRAikdAJ4ogfj4MndQJLj6rWiyERw78X4ungCfeaR0
M1ZPzBmZix3FqaFUGVMLM2s=
=YSIu
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug