Mon Feb 24 11:49:00 CET 2003
Ciprian Chira wrote:
> Finaly I decided to send a mail,because I have 2 question(problems).
> 1. Must have DMZ a real ethernet card or not?
It is possible to have a DMZ wothout an extra interface, but I would
strongly advice you not to, as this should be very insecure.
The point of having a DMZ is to have it completly seperated from other
internal networks. Think of what would happen if a hacker did gain
control over a machine in the DMZ. If it was not physically detached
from all other zones, the attacker could easilly start hacking other
machines located on the internal network.
> In case that I don' t need a real ethernet card,than I have to assign a
> second IP address for et0( eth2 will be an alias).
You should read about making ip aliases.
Try reading http://www.tldp.org/HOWTO/mini/IP-Alias/
As for FIAIF configuration files, you should specify
eth0 as the device, oll other network configuration options (IP, NET,
etc.) is of cource the values for the new network.
> 2. What IP address should I write in httpd.conf. and in other .conf files ?
Making an ip alias is logically the same as installing a new NIC. I do
not understand why you ask about httpd.conf, as I guess the httpd server
would be moved to another machine located in the DMZ.
Again - I strongly advice you to install a NIC for the DMZ (and maybe a
hub or switch), in order to force all traffic from and to the DMZ to go
through the firewall.
> Thanks a lot!
More information about the fiaif