TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:19384] IPCHAINS/ipmasqadm



>                                   | [mail 192.168.0.1]
>  206.147.x.x   192.168.0.100      | [www 192.168.0.10]
> -DSL--[Firewall]------[Switch]----| [workstation a 192.168.0.20]
>                                   | [workstation b 192.168.0.21]
> 
> Now, the NAT thinggie is port-forwarding stuff over to the internal
> network. For example, www.yaron.org is DNSed as 206.147.x.x. The firewall
> forwards port 80 to the internal 192.168.0.10.

(delayed response -- was out of town)

Why not put put the ("bastion host") mail and www servers into the "DMZ"
network, between the DSL router and firewall machine?  This could
eliminate the need for port forwarding and close potential avenues of
attack on your internal network.  The DSL router (Cisco 675?) should be
able to handle some port forwarding.

-- 
==============     SIGN the Linux Driver Petition:
Joel Schneider     http://www.libranet.com/petition.html
jts@tc.umn.edu     SIGN the Mars Petition:
==============     http://www.thinkmars.net/petition.html