help!!

Anders Fugmann email hidden
Mon Feb 24 11:49:00 CET 2003


Ciprian Chira wrote:
> Hello!
> Finaly I decided to send a mail,because I have 2 question(problems).
> 1. Must have DMZ a real ethernet card or not?
It is possible to have a DMZ wothout an extra interface, but I would 
strongly advice you not to, as this should be very insecure.

The point of having a DMZ is to have it completly seperated from other 
internal networks. Think of what would happen if a hacker did gain 
control over a machine in the DMZ. If it was not physically detached 
from all other zones, the attacker could easilly start hacking other 
machines located on the internal network.

> In case that I don' t need a real ethernet card,than I have to assign a 
> second IP address for et0( eth2 will be an alias).
You should read about making ip aliases.
Try reading http://www.tldp.org/HOWTO/mini/IP-Alias/

As for FIAIF configuration files, you should specify
eth0 as the device, oll other network configuration options (IP, NET, 
etc.) is of cource the values for the new network.

> 2. What IP address should I write in httpd.conf. and in other .conf files ?
Making an ip alias is logically the same as installing a new NIC. I do 
not understand why you ask about httpd.conf, as I guess the httpd server 
would be moved to another machine located in the DMZ.

Again - I strongly advice you to install a NIC for the DMZ (and maybe a 
hub or switch), in order to force all traffic from and to the DMZ to go 
through the firewall.

>  
> Thanks a lot!
> Ciprian.

Regards
Anders Fugmann





More information about the fiaif mailing list