[plug] DMZ with IPCop

Quintin Lette quintin at arach.net.au
Wed Feb 19 21:24:01 WST 2003


Your DMZ machines shouldn't be able to see your Local machines, thats 
basically the idea of it all, unless you setup DMZ pinholes (basically 
allowing ports through)

The idea of a DMZ or Demilitarised Zone is that you can have some machines 
less secure than others :) (ie to allow services) you separate this so that 
your internal network isn't exposed, and generally accessing the local 
machines through DMZ is a no no.  However as this is not entirely practical 
all the time (like for securing mail servers but allowing webserver to access 
it) you can allow pin holes.  I have only used this with Smoothwall (and 
never actually seen IP COP) but it is reasonably simple through web 
interface.  As for ping you should be able to ping eth1 of router but not 
eth0 unless IPCOP ignores ping on dmz interface (also possible)

HTH (and putting on flame suit incase someone has a different opinion :P)

Quintin

On Wednesday 19 February 2003 21:10, Daniel Pearson wrote:
> Has anyone had experience with running a DMZ with IPCop? I'm running into a
> few issues, and can't seem to put my finger on what exactly is wrong.
>
> The router has 3 interfaces, eth0 (internal lan, 192.168.100.0/24), eth1
> (dmz connected by crossover, 192.168.50.1 + .2), and eth2 is the external.
>
> Now, from the router, or any machine on the network I can ping
> 192.168.50.2, however from 50.2 I cannot ping anything on the 100 network,
> or even the router on the other end of the crossover cable. Also, when I
> edit
> /etc/resolv.conf on the router and put .50.2 as its nameserver, from the
> router I can then not ping anything.
>
> As a result of such.. my DNS isn't working, as that resides on the DMZ
> (debian woddy 3 default install, running bind 9, apache and postfix). Has
> anyone else come across this before?
>
> Regards,
> Daniel Pearson



More information about the plug mailing list