[NTLUG:Discuss] Router Needed? -- multiple NAT devices not good (_avoid_ if possible)
Stephen Davidson
gorky at freenet.carleton.ca
Fri Jul 9 05:24:43 CDT 2004
Greetings.
I have a Smoothwall, and a similar set up to what is being discussed.
So can actually shed a little light.
terry wrote:
> Ralph Green, Jr wrote:
> [snip]
Smoothwall is great if you do not know a lot about configuring
firewalls, or firewall rules, because the User Interface (web based) is
easy to use, and handles everything one normally needs if you are
running anything up to a SOHO (like my situation). But it is not so
fine if you are a large corporation, or otherwise need to manully set
more sophisticated firewall rules. At least not yet, anyways. It was
apparently designed so that some newbie type could plop it on an old,
unused system, and turn that system into basically self maintaining
impeneterable firewall.
>> missing, because the whole purpose of the orange zone is to isolate
>> those machines that do need to receive connections from the red zone.
>> The orange zone usually contains web server or mail servers that the
>> outside world must be able to reach. Now, the red zone cannot initiate
>> contact to your green zone. Am I missing something, or did you mean to
>
>
> "the red zone cannot initiate contact to your green zone."
> I'm not understanding that part either.
> (red zone = internet green zone = LAN) Right?
> So what are you saying about initiating contact from red to green zones?
>
Red = Internet
Orange = DMZ
Green = LAN
>> say green?
>
>
> I think what he's saying is making it sort-of like:
> red green-1 green-2
> instead of the conventional
> red green orange
>
> In other words, not using the orange interface for servers but just
> using it to isolate visitor LAN from office LAN, therefore allowing
> visitor LAN access to internet and nothing more. ie.
> green = office LAN
> orange = visitor LAN
>
> (I don't know if it'd work but makes sense to me.) (Don't see why not.)
Works very well for me.
You can also open up some ports from Orange to Green, either machine to
machine, port to machine, or port to network (as in, allow all access
from Orange to any machine on green via port xxxx).
Stick Visitor in Orange Zone, and either needed utils/equipment (min
dhcp server), or open Orange -> Green netbios to the print server (if
you feel safe allow them access to a single machine on your LAN), or
something, and you should be in good shape.
What I have configured is the following;
Internet --- Smootwall -- LAN
|
|
------------
| |
External Guest Computer
Access Server
Smoothwall is providing DHCP to the LAN.
The EAS has a printer on it, and is also providing DHCP to the local
net. (I could not figure out how to configure smoothwall, using its
provided interfaces, to configure two different DHCP nets, depending on
which port -- If you modify its files manually, the next DHCP change via
User Interface blows away your manual changes :( )
No access from Orange -> Green allowed (Green can access Orange or
Red/Internet no problem).
The ONLY Gotcha I found, you need to make sure Orange has a different
subnet from your LAN.
>
>
>> Good day,
>> Ralph
>>
>> On Wed, 2004-07-07 at 13:49, Bryan J. Smith wrote:
>>
>>
>>> - "Just the easiest answer"
>>>
>>> Install IPCop 1.3 ( http://www.ipcop.org ) and make it your firewall.
>>> Turn the 3rd zone, ORANGE (DMZ) into the zone for your conference room.
>>> By default, nothing can get into ORANGE (DMZ) from RED (Internet), and
>>> the ORANGE (DMZ) cannot access GREEN (LAN).
>>
That would be by default. You can configure Orange(DMZ) to access
various ports/machines/services on Green(LAN)
Regards,
Steve
--
Java/J2EE Developer/Integrator
Chair, Dallas/FortWorth J2EE Sig
214-724-7741
More information about the Discuss
mailing list