Have static IP, now what

Rick Stevens rstevens at vitalstream.com
Thu Mar 10 23:51:31 UTC 2005 

Bob McClure Jr wrote:
> On Thu, Mar 10, 2005 at 01:17:49PM -0800, Michael Ault wrote:
> 
>>My DSL is a 2wire modem/router that allows you to pick
>>a single machine to be outside of the firewall. I
>>assume I would place the mail server/etc. there as you
>>have described doing.
> 
> 
> I dunno.  I'm not very familiar with those boxes.  You normally want
> your DMZ protected by the firewall, but separate from your internal
> net.  Ideally, you cannot get from your DMZ to your internal LAN, save
> possibly by SSH.  I don't even allow that.  But you can get from your
> internal LAN to the DMZ.  In simple graphics, here is my setup:
> 
>            outside (DSL modem)
> ____________   |
> |          |---'
> | firewall |----- DMZ
> |          |---.
> |__________|   |
>               LAN

Yes, Bob has the most common setup described right there.  Typically,
the DMZ (or "bastion box") has all of the services that the outside
world may need to INITIATE a connection to (incoming mail, FTP, web
server, etc.).  The idea is that, if a box is going to get hacked, it's
THAT box only.  Everything else is protected.

By default, the firewall/router has routes between the outside world and
the DMZ, and between the outside world and the LAN (using NAT as
needed).  Default firewall rules prohibit the DMZ from _initiating_ a
connection between the DMZ and the LAN, so even if the DMZ gets hacked,
your LAN stuff is protected.

As an example, with incoming mail running on the DMZ, your mail would be
delivered to the DMZ, and you'd use something like fetchmail to grab it
from there and put it on your local machine on the LAN.  The point is
that your local machine requests stuff from the DMZ--the DMZ can't
unilaterally access your local machine.

You can, of course, bugger the routes and rules on the firewall/router
or set up port forwarding as your needs dictate.

The firewall/router also typically has a DHCP server for the LAN side
and sets up appropriate NAT rules for any connections initiated from the
LAN to the outside.  That way everyone on the LAN shares the external
IP of the firewall/router.

The DHCP also typically sets itself as the default route for the DHCP
clients and also sets up the DNS server info for the DHCP clients.  No,
you don't need to set up a local DNS server unless you want to access
the machines on the LAN segment by name--just use your ISP's servers.
The DHCP server should set that up automatically.  If you do want to
set up a DNS server, that's also often set up on the bastion, although
some firewall/routers also have a DNS server--albeit a limited one--that
ties into its DHCP database.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      "Doctor!  My brain hurts!"  "It will have to come out!"       -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list