[buug] Convert Linux Gateway to OpenBSD
f.johan.beisser
jan at caustic.org
Fri Oct 25 17:06:38 PDT 2002
On Fri, 25 Oct 2002, Charles Howse wrote:
> What are your thoughts on the following:
>
> My little network will have a DMZ.
ok. it's already behind nat. the DMZ will be of limited usefulness.
here's why: you have 1 public IP. if you map ports over to specific
machines you're still only exposing one or two ports. it's not going to
render you that much more secure than having everything sitting in one
local network..
this doesn't mean the design is bad, it's a good design, just requiring
more resources to implement than your original design.
> The first question I have for this scenario concerns the sub netting for
> the network.
> BTW: sub netting is my short suit.
> I'm totally at a loss here...should all the machines be on the same
> network - 255.255.0.0?
no. i would either A) assign a complete class C (heh, pre-CIDR stuff
amuses me) to each segment, or B) subnet one. what good is settin
everything to be in the same subnet when you're attempting to keep things
separate?
since you're playing with private IP space, go for the /24. it'll be
easier to handle.
so, 192.168.1.0 and the DMZ would be 192.168.2.0, for example. the netmask
for either 255.255.255.0. this just makes everything easier to deal
with, especially once it's in private IP space.
<gateway>
|
+---{DMZ}-<publicly accessable servers (192.168.1.0/24)>
|
+---{Windoze}-<private machines (192.168.2.0/24)>
-------/ f. johan beisser /--------------------------------------+
http://caustic.org/~jan jan at caustic.org
"Champagne for my real friends, real pain for
my sham friends." -- Tom Waits
More information about the buug
mailing list