[Techtalk] Network Layout (was ISP...)

Conor Daly conor.daly at oceanfree.net
Sat May 11 21:02:33 EST 2002 

On Thu, May 09, 2002 at 02:25:27PM +0800 or so it is rumoured hereabouts, 
Jacqueline McNally thought:
> 
> Bridging vs routing. Please could someone explain the impact of this if I 
> want to host a domain on the offered static IP address and still have 
> access to a number of other machines.
 
Don't know the difference between them myself but I use prot forwarding to
access individual machines behind my firewall.  EG. If I

ssh <my.ip.addr.ess>

I get to my home server while if I 

ssh -p 23 <my.ip.addr.ess> 

I connect to another box at home.  Similarly, you can forward port 80 to
your web server and so on...  You can even use this to force users inside
your network to route through a web proxy: you forward any traffic for
external port 80 to your proxy server and route _its_ traffic out to the
internet.

> Also, I am not sure if I should wire it this way:
> 
> ADSL modem -- Linux firewall box -- Linux web server also routing traffic 
> to -- switch -- other computers

this puts the web server behind the firewall so, in theory, you don't have
to do any more securing since you've already done that at the firewall.
however, you _are_ allowing untrusted traffic onto your internal network
 
> or this way:
> 
> ADSL modem -- Linux web server -- Linux firewall box -- switch -- other 
> computers

This way, no untrusted traffic is allowed into your network so that's
presumably secure.  However, the web server is exposed to the internet and
so must itself be properly secured (Raven'll probably give out to me for
saying you don't need to secure the box if it's behind a firewall and
properly so).
 
I'd go for something like

ADSL modem -- Linux Firewall  --eth0-- switch -- other computers
                    |
                  eth1
                    |
             Linux web server

This requires three network cards in the firewall; one for the modem, one
for the web server and one for the rest of your network.  Traffic for the
web server gets routed via eth1 and is not allowed onto your internal
network.  It has the advantages of both layouts above without having their
disadvantages.  the eth1 network is know as a DeMilitarised Zone (DMZ).
The DMZ is essentially untrusted (ie. connections to and from the internal
network are still routed through the firewall and the web server should
not be allowed to access machines on the internal network).  That way, if
the web server is compromised, the remainder of your network is still OK
(assuming the firewall is still working that is...).

> Can someone explain which is best, or an alternative ? Please feel free to 
> point me to appropriate URLs.

Much of the above is gleaned from the Firewall and Proxy Server HOWTO
(particularly chapter 3 for layouts) available from the Linux
documentation Project (http://www.ldp.org) 

Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  9:15pm  up 20 days,  2:54,  1 user,  load average: 0.00, 0.00, 0.00
Hobbiton.cod.ie
  8:21pm  up 18 days, 10:47,  3 users,  load average: 0.19, 0.17, 0.17

More information about the Techtalk mailing list