Anders Fugmann email hidden
Mon Feb 24 11:49:00 CET 2003

Ciprian Chira wrote:
> Hello!
> Finaly I decided to send a mail,because I have 2 question(problems).
> 1. Must have DMZ a real ethernet card or not?
It is possible to have a DMZ wothout an extra interface, but I would 
strongly advice you not to, as this should be very insecure.

The point of having a DMZ is to have it completly seperated from other 
internal networks. Think of what would happen if a hacker did gain 
control over a machine in the DMZ. If it was not physically detached 
from all other zones, the attacker could easilly start hacking other 
machines located on the internal network.

> In case that I don' t need a real ethernet card,than I have to assign a 
> second IP address for et0( eth2 will be an alias).
You should read about making ip aliases.
Try reading

As for FIAIF configuration files, you should specify
eth0 as the device, oll other network configuration options (IP, NET, 
etc.) is of cource the values for the new network.

> 2. What IP address should I write in httpd.conf. and in other .conf files ?
Making an ip alias is logically the same as installing a new NIC. I do 
not understand why you ask about httpd.conf, as I guess the httpd server 
would be moved to another machine located in the DMZ.

Again - I strongly advice you to install a NIC for the DMZ (and maybe a 
hub or switch), in order to force all traffic from and to the DMZ to go 
through the firewall.

> Thanks a lot!
> Ciprian.

Anders Fugmann

More information about the fiaif mailing list