Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: DMZ systems having internal IP, ok or not?
Special Forums Cybersecurity DMZ systems having internal IP, ok or not? Post 302544475 by Yeaboem on Thursday 4th of August 2011 12:56:41 AM
Old 08-04-2011
OK, you ask a general question, you'll get a general answer.

Yes, If you're using a single NIC, you can configure any IP addresses you want on the DMZ servers - but that doesn't mean you'll necessarily be able to pass traffic to/from those IPs. The firewall rules all.

Unless you are planning to subnet a portion of your 10.1.1.x space as a second DMZ, from the firewall's perspective, I don't see any good reason to multihome your DMZ hosts with internal IPs. If you're using separate NICs for the 192.168.1 and 10.1.1 connections to the DMZ hosts, you're bypassing the firewall and inviting doom.

Hosts providing services on a DMZ should only have IPs in the DMZ address space, and have access controlled by the firewall rules. Strictly speaking, you're right that DMZ hosts should not be able to initiate connections to internal IPs, but it is common practice to find sites permitting NTP, syslog, and plenty of other holes punched through firewall to inside systems. There's always a risk assessment done.
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Forwarding internal internet packets to internal webserver using iptables

Hi, I need to redirect internal internet requests to a auth client site siting on the gateway. Currently users that are authenticated to access the internet have there mac address listed in the FORWARD chain. All other users need to be redirected to a internal site for authentication. Can... (1 Reply)
Discussion started by: mshindo
1 Replies

2. Linux

routing rules for dmz in debian router.

Hi to all. There are eth0(wan) eth1(lan) and eth3(dmz) in my debian router. In dmz is planing dns, ad, dhcp, smtp/pop/imap, https(web-based imap client). I don't configured rules on "iptables" and "route" loads for right relation lan clients with dmz services. Please explain me example... (0 Replies)
Discussion started by: sotich82
0 Replies

3. UNIX for Advanced & Expert Users

How do you manage your DMZ server accounts?

I'd just like to know what you use for user account management on your DMZ servers? Do you use the same authentication realm as internally? Do you use a different authentication realm, perhaps only for the DMZ? Do you use local accounts? (2 Replies)
Discussion started by: humbletech99
2 Replies

4. Solaris

Setting up a DMZ webserver using Zones

I've been looking at various articles about Zones/Containers, from SUN's website, and through numerous Google searches, and although there's a lot of info out there, I've not got a definitive answer for what I'd like to do.....so here we go..... I'm installing a webserver, which is sitting on a... (3 Replies)
Discussion started by: in2deep
3 Replies

5. Shell Programming and Scripting

SFTP and DMZ boxes

Hi I would like write a script that will do sftp frm a box that resides inside the FW to a box that resides in DMZ.Any ideas guys.I tried generating rsa keys for a particular user, however just want to know is there any other solution or not. Your help is much appreciated. Thanks CK (2 Replies)
Discussion started by: coolkid
2 Replies

6. What is on Your Mind?

From Systems Admin to Systems Eng.

I have been wondering how do Systems Administrators do the jump into Systems Engineering? Is it only a matter of time and experience or could I actually help myself get there? Opinions? Books I could read? Thanks a lot for your help! (0 Replies)
Discussion started by: svalenciatech
0 Replies

7. Shell Programming and Scripting

Create new users in DMZ box using script

I remote to many DMZ boxes every day to run batch file that allows me to create users. I create users in 17 DMZ boxes every day which takes a lot of my time. Is there any script that would do this job from my local computer? Thank you for your help! (3 Replies)
Discussion started by: idiazza
3 Replies

8. UNIX and Linux Applications

One DMZ server reverse proxy for 2 websites

Hi All, Hope this is the correct thread to ask this, if not, can an admin please move it to the correct thread. Got a wee problem I hope someone can point me in the right direction. I have Network A with two servers hosting separate webpages (I will call these WP1 & WP2). A DMZ server... (6 Replies)
Discussion started by: dakelly
6 Replies

9. UNIX for Beginners Questions & Answers

Sendmail - issue within DMZ for some servers but not all

Hi All, I have a strange issue and I am not sure where the problem lies. I have about six Ubuntu servers on our DMZ two of which were built on 18.04 from scratch the others were upgraded to 18.04 from 16.04. The servers built from scratch can send emails from the server via sendmail fine, so... (4 Replies)
Discussion started by: dakelly
4 Replies

LEARN ABOUT CENTOS

firewalld.conf

FIREWALLD.CONF(5)						  firewalld.conf						 FIREWALLD.CONF(5)

NAME

       firewalld.conf - firewalld configuration file

SYNOPSIS

       /etc/firewalld/firewalld.conf

DESCRIPTION

       firewalld.conf is loaded by firewalld during the initialization process. The file contains the basic configuration options for firewalld.

OPTIONS

       These are the options that can be set in the config file:

       DefaultZone
	   This sets the default zone for connections or interfaces if the zone is not selected or specified by NetworkManager, initscripts or
	   command line tool. The default zone is public.

       MinimalMark
	   For some firewall settings several rules are needed in different tables to be able to handle packets in the correct way. To achieve
	   that these packets are marked using the MARK target iptables(8) and ip6tables(8). With the MinimalMark option a block of marks can be
	   reserved for private use; only marks over this value are used. The default MinimalMark value is 100.

       CleanupOnExit
	   If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves the current firewall rules untouched.
	   The default value is yes or true.

       Lockdown
	   If this option is enabled, firewall changes with the D-Bus interface will be limited to applications that are listed in the lockdown
	   whitelist (see firewalld.lockdownwhitelist(5)). The default value is no or false.

SEE ALSO

       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
       firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
       firewalld.zones(5)

NOTES

       firewalld home page at fedorahosted.org:
	   http://fedorahosted.org/firewalld/

       More documentation with examples:
	   http://fedoraproject.org/wiki/FirewallD

AUTHORS

       Thomas Woerner <twoerner@redhat.com>
	   Developer

       Jiri Popelka <jpopelka@redhat.com>
	   Developer

firewalld 0.3.9 														 FIREWALLD.CONF(5)
All times are GMT -4. The time now is 08:01 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy