(slow response -- just catching up with Monday's email) The "DMZ" style setup isolates the publicly accessible server(s) from the internal network. Its advantage is that, because the server(s) are on the other side of the firewall, it's not necessary to open a potential avenue of attack on machines behind the firewall by having the firewall do port forwarding, thereby exposing services that could potentially be exploited. DNS and email servers might also be placed in the "DMZ". Putting three NIC cards in the firewall machine looks like a more secure approach, though. Cool idea! Beyond turning off telnet and web access, I hadn't really thought much about not trusting the 675. I suppose the web server itself could do some packet filtering... In any case, it's very comforting to have some decent protection. Joel Chewie wrote: > Timothy Wilson wrote: > > Anyone care to contribute some thoughts on the 675 vs. Linux > firewall debate? > > On Sun, Nov 19, 2000 at 03:54:51AM -0600, Joel Schneider wrote: > > Why not use both Cisco 675 _and_ Linux firewalling? > > Actually, this suggestion is the best one to go with, although I > disagree with how Joel has implemented it; albeit slightly at best. > Under Joel's suggestion, the network would look like this: > > ( Internet ) 0.0.0.0/0 > | > [ DSL ]------[ HUB ] > | > +--------------+ (DMZ) > | | > [ WEB Server] [ Firewall ] > | > (Private Net) > > This is not alltogether bad, but the side affect is that any > additional filtering of traffic to the web server must be accomplished > through the DSL modem. This modem has a grand total of 10 filter > rules. If you have only one static IP address allocated to you, then > you are forced to deal with the Cisco's NAT. =20 > > Linux IPChains (2.2) or IPTables (2.4) is infinitely more flexible on > how you handle packet filtering, routing, and forwarding. If you feel > you would like to use this power, you can do one of two things: > > 1) Manage the port forwarding at the Linux firewall > > ( Internet ) 0.0.0.0/0 > | > [ DSL ]--------[ Firewall ] > | > [ HUB ] > | > +-------------+-------------+ > | | > [ WEB Server] (Private Net) > > 2) Add another network card to the firewall and have a "server" > subnet/DMZ > > ( Internet ) <#1> > | > [ DSL ] > | <#2> > [ Firewall ] > <#3> (DMZ) | | (Private Net) <#4> > +-----------+ +--------[ HUB ] > | | > [ WEB Server] ... > > Now, notice how all traffic is flowing through the firewall. This > gives you an amount of control and flexibility far beyond that which > you could achieve through the DSL modem alone. Through these > suggestions, you would need only one NAT rule at the Cisco: > forward all traffic destined for the Cisco to the firewall. > > Now, the nets #2, #3, and #4 can be configure in many different ways. > It all depends upon what your ISP has given you. If the ISP gave you > only one IP address, either static or dynamic, your DSL router must > use NAT to forward any requests to other machines. If you've received > a /30 Internet subnet, you have two "useable" IP addresses. You must > assign one to your DSL router and you have one left for your firewall. > If you're given a /29, or 6 "useable" IP addresses, you could actually > make your DMZ a bridged network off your firewall (which is something > I'm working on configuring at my house). > > Well, you have a lot of choices depending on what you've been > allocated. I personally want my Linux firewall handling the bulk of > the filtering and NAT rules, if not all of them. I simply don't trust > the Cisco, nor do I like it's limited resources. =20 > > Anyway, good luck!