Tom, I have used Shorewall now for 4-5 weeks and I''m really impresssed by the power and flexibility of the package. I''m running Two-Interface Firewall with a MASQ''ed Shorewall (on SUSE 8.0) to protect my LAN (5 WIN XP''s and a WIN2K Server acting as PDC). The Shorewall Linux box has two NIC''s (eth0 to Internet and eth1 to my LAN Switch) and is also acting public WWW and FTP server. My connection is via ADSL and domain name registered at no-ip.com. OK, now my quest.... Would it make any sense to add one extra NIC to my WIN2K Server, and an extra third NIC (eth2) on the firewall. Then connect these two new NIC''s via a cross-over cable. On the WIn Server I would be running Apache and associated with the new connection (192.168.2.1) and on the firewall define that Server connection as a DMZ. The WIN2K Server would still be connected to the LAN (192.168.1.1) via the switch serving the local network (local DNS, PDC, fileserver, DHCP etc.) In other words, the WIN Server would have two physical separated connections, one for the DMZ and one for the LAN. Would this be a feasible DMZ set-up or is it completely crazy? Or are there other set-up''s not requireing a third dedicated PC.... Comments please. Regards, Per Leion (Sweden)
On 20 Aug 2002 at 23:02, Per Leion wrote:> Tom, > I have used Shorewall now for 4-5 weeks and I''m really impresssed by the > power and flexibility of the package. > > I''m running Two-Interface Firewall with a MASQ''ed Shorewall (on SUSE > 8.0) to protect my LAN (5 WIN XP''s and a WIN2K Server acting as PDC). The > Shorewall Linux box has two NIC''s (eth0 to Internet and eth1 to my LAN > Switch) and is also acting public WWW and FTP server. My connection is via > ADSL and domain name registered at no-ip.com. > > OK, now my quest.... Would it make any sense to add one extra NIC to my > WIN2K Server, and an extra third NIC (eth2) on the firewall. Then connect > these two new NIC''s via a cross-over cable. On the WIn Server I would be > running Apache and associated with the new connection (192.168.2.1) and > on the firewall define that Server connection as a DMZ. The WIN2K Server > would still be connected to the LAN (192.168.1.1) via the switch serving > the local network (local DNS, PDC, fileserver, DHCP etc.) In other words, > the WIN Server would have two physical separated connections, one for the > DMZ and one for the LAN.Aside from the physical possibility, why would you _want_ to bring (potentially) dangerous www traffic inside to your win2k box? Linux does a better job of www than win2k, and you keep the risk at arms length. If you want to further compartmentalize it why not but another linux box in a true DMZ? What would you gain? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
> OK, now my quest.... Would it make any sense to add one extra NIC to myWIN2K> Server, and an extra third NIC (eth2) on the firewall. Then connect thesetwo> new NIC''s via a cross-over cable. On the WIn Server I would be runningApache> and associated with the new connection (192.168.2.1) and on the firewalldefine> that Server connection as a DMZ. The WIN2K Server would still be connectedto> the LAN (192.168.1.1) via the switch serving the local network (local DNS,PDC,> fileserver, DHCP etc.) In other words, the WIN Server would have twophysical> separated connections, one for the DMZ and one for the LAN. > > Would this be a feasible DMZ set-up or is it completely crazy? Or arethere> other set-up''s not requireing a third dedicated PC.... > > Comments please.>From a security standpoint, I don''t see what you gain by implementing whatyour proposing. Besides, you should first goto Microsoft''s website and read about the problems associated with running a multi-homed PDC. Although, it''s doable. If you are wanting to implement a true DMZ approach, consider placing a stand alone server in that DMZ that handles services like web, ftp, dns, etc... Steve Cowles