Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: DMZ systems having internal IP, ok or not?
Special Forums Cybersecurity DMZ systems having internal IP, ok or not? Post 302544475 by Yeaboem on Thursday 4th of August 2011 12:56:41 AM
Old 08-04-2011
OK, you ask a general question, you'll get a general answer.

Yes, If you're using a single NIC, you can configure any IP addresses you want on the DMZ servers - but that doesn't mean you'll necessarily be able to pass traffic to/from those IPs. The firewall rules all.

Unless you are planning to subnet a portion of your 10.1.1.x space as a second DMZ, from the firewall's perspective, I don't see any good reason to multihome your DMZ hosts with internal IPs. If you're using separate NICs for the 192.168.1 and 10.1.1 connections to the DMZ hosts, you're bypassing the firewall and inviting doom.

Hosts providing services on a DMZ should only have IPs in the DMZ address space, and have access controlled by the firewall rules. Strictly speaking, you're right that DMZ hosts should not be able to initiate connections to internal IPs, but it is common practice to find sites permitting NTP, syslog, and plenty of other holes punched through firewall to inside systems. There's always a risk assessment done.
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Forwarding internal internet packets to internal webserver using iptables

Hi, I need to redirect internal internet requests to a auth client site siting on the gateway. Currently users that are authenticated to access the internet have there mac address listed in the FORWARD chain. All other users need to be redirected to a internal site for authentication. Can... (1 Reply)
Discussion started by: mshindo
1 Replies

2. Linux

routing rules for dmz in debian router.

Hi to all. There are eth0(wan) eth1(lan) and eth3(dmz) in my debian router. In dmz is planing dns, ad, dhcp, smtp/pop/imap, https(web-based imap client). I don't configured rules on "iptables" and "route" loads for right relation lan clients with dmz services. Please explain me example... (0 Replies)
Discussion started by: sotich82
0 Replies

3. UNIX for Advanced & Expert Users

How do you manage your DMZ server accounts?

I'd just like to know what you use for user account management on your DMZ servers? Do you use the same authentication realm as internally? Do you use a different authentication realm, perhaps only for the DMZ? Do you use local accounts? (2 Replies)
Discussion started by: humbletech99
2 Replies

4. Solaris

Setting up a DMZ webserver using Zones

I've been looking at various articles about Zones/Containers, from SUN's website, and through numerous Google searches, and although there's a lot of info out there, I've not got a definitive answer for what I'd like to do.....so here we go..... I'm installing a webserver, which is sitting on a... (3 Replies)
Discussion started by: in2deep
3 Replies

5. Shell Programming and Scripting

SFTP and DMZ boxes

Hi I would like write a script that will do sftp frm a box that resides inside the FW to a box that resides in DMZ.Any ideas guys.I tried generating rsa keys for a particular user, however just want to know is there any other solution or not. Your help is much appreciated. Thanks CK (2 Replies)
Discussion started by: coolkid
2 Replies

6. What is on Your Mind?

From Systems Admin to Systems Eng.

I have been wondering how do Systems Administrators do the jump into Systems Engineering? Is it only a matter of time and experience or could I actually help myself get there? Opinions? Books I could read? Thanks a lot for your help! (0 Replies)
Discussion started by: svalenciatech
0 Replies

7. Shell Programming and Scripting

Create new users in DMZ box using script

I remote to many DMZ boxes every day to run batch file that allows me to create users. I create users in 17 DMZ boxes every day which takes a lot of my time. Is there any script that would do this job from my local computer? Thank you for your help! (3 Replies)
Discussion started by: idiazza
3 Replies

8. UNIX and Linux Applications

One DMZ server reverse proxy for 2 websites

Hi All, Hope this is the correct thread to ask this, if not, can an admin please move it to the correct thread. Got a wee problem I hope someone can point me in the right direction. I have Network A with two servers hosting separate webpages (I will call these WP1 & WP2). A DMZ server... (6 Replies)
Discussion started by: dakelly
6 Replies

9. UNIX for Beginners Questions & Answers

Sendmail - issue within DMZ for some servers but not all

Hi All, I have a strange issue and I am not sure where the problem lies. I have about six Ubuntu servers on our DMZ two of which were built on 18.04 from scratch the others were upgraded to 18.04 from 16.04. The servers built from scratch can send emails from the server via sendmail fine, so... (4 Replies)
Discussion started by: dakelly
4 Replies

LEARN ABOUT DEBIAN

ffproxy.conf

ffproxy.conf(5) 					      BSD File Formats Manual						   ffproxy.conf(5)

NAME

     ffproxy.conf -- filtering HTTP/HTTPS proxy server configuration file

DESCRIPTION

     ffproxy is a filtering HTTP/HTTPS proxy server.  It is able to filter by host, URL, and header.  Custom header entries can be filtered and
     added.  It can even drop its privileges and optionally chroot(2) to some directory.  Logging to syslog(3) is supported, as is using another
     auxiliary proxy server.  An HTTP accelerator feature (acting as a front-end to an HTTP server) is included.  Contacting IPv6 servers as well
     as binding to IPv6 is supported and allows transparent IPv6 over IPv4 browsing (and vice versa).

     This manual describes how to use configuration files with the program and documents the options.

USING CONFIGURATION FILES

   Default ffproxy.conf
     If the command line parameters -f or -F are not used, the proxy tries to open /etc/ffproxy/ffproxy.conf.  If this file does not exist, the
     program continues execution.

   User Configuration File
     Use command line parameter -f to load a non-default configuration file.  You will notice the warning at the program's startup.  This is due
     to the programs implementation that allows one to reload all configuration files.	To disable the warning, use -F instead.

   Deactivating
     To use command line options only, use -f "".

   Reloading Configuration
     To let the proxy reload its configuration files, that is, besides the configuration file specified, the contents of db/ and html/, send the
     signal HUP to the program's master process. ffproxy pid can be found by default in file /var/run/ffproxy.pid, you can override /var/run
     directory with command line parameter -n or with pid_dir setting in config file.

     Options that can be successfully altered at runtime are

	   child_processes
	   use_ipv6
	   use_syslog
	   log_all_requests
	   forward_proxy
	   forward_proxy_port
	   forward_proxy_ipv6
	   accel_host
	   accel_port
	   accel_user_host
	   use_keep_alive
	   unrestricted_connect
	   timeout_connect
	   backlog_size

     Set `accel_port 0' or `forward_proxy_port 0' to explicitly disable acceleration or auxiliary proxy.  Commenting out options is not suffi-
     cient, since configuration options may only overwritten.

     Changes to other options not mentioned above get silently ignored.

CONFIGURATION OPTIONS

     #
     # lines starting with '#' are comments
     #

     # run as daemon?
     # (default: no)
     #daemonize yes
     #daemonize no

     # number of child processes,
     # that is, the maximum number of concurrent requests
     # (default: 10)
     #child_processes 10

     # ffproxy binds to any IPv4 address
     # and any IPv6 address by default
     #
     # bind to IPv4?  (default: yes)
     #bind_ipv4 no
     #bind_ipv4 yes
     # bind to IPv6?  (default: yes)
     #bind_ipv6 no
     #bind_ipv6 yes
     #
     # Hostname or IP to bind to
     # (default is any IP)
     #
     #bind_ipv4_host 192.168.10.1
     #bind_ipv4_host martyr.burden.eu.org
     #bind_ipv6_host ::1
     #bind_ipv6_host oz.burden.eu.org

     # listen on port
     # (default: 8080)
     #port 1111
     #port 8080

     # use IPv6 when contacting servers?
     # (default: yes)
     #use_ipv6 no
     #use_ipv6 yes

     # use syslog?
     # (default: yes)
     #use_syslog no
     #use_syslog yes

     # log all requests?
     # (default: no)
     # to use, set also use_syslog to yes
     #log_all_requests yes
     #log_all_requests no

     # change UID and GID
     #
     # to use, both uid and gid must be set
     # (disabled by default)
     #uid proxy
     #gid proxy
     #uid 37
     #gid 38

     # change root to (only in connection with uid and gid change)
     #	 /etc/resolv.conf might need to be copied
     #	 to chroot_dir/etc/resolv.conf
     # (disabled by default)
     #chroot_dir /usr/share/ffproxy

     # forward to proxy (auxiliary proxy)
     # (set `forward_proxy_port 0' to explicitly disable feature
     #	(i.e, when reloading configuration file via SIGHUP))
     # (disabled by default)
     #forward_proxy blackness.burden.eu.org
     #forward_proxy 192.168.10.5
     #forward_proxy ::1
     #forward_proxy_port 8082
     #forward_proxy_port 0

     # try IPv6 for auxiliary proxy?
     # use_ipv6 must be set to yes, too
     # (default: yes)
     #forward_proxy_ipv6 no
     #forward_proxy_ipv6 yes

     # path to db/ and html/ directories
     # (default: /usr/share/ffproxy)
     # (Note: if ffproxy runs chrooted,
     #	give a path name relative to new root, or,
     #	if db_files_path is the same as root, use db_files_path ./
     #	You have to start ffproxy in the new root directory,
     #	otherwise it won't find the database files.
     #	Please keep in mind that ffproxy's config file has to
     #	be within chroot directory, otherwise it will not find
     #	its config file on reload)
     #db_files_path ./
     #db_files_path /usr/share/ffproxy

     # http accelerator
     # (disabled by default)
     #
     # if you want to use ffproxy as http accelerator (that is, connecting
     # to just one http server and beeing used as front-end to that, e.g.
     # in DMZ) uncomments options below (port is optional, defaults to 80)
     # (set `accel_port 0' to explicitly disable feature
     #	(i.e, when reloading configuration file via SIGHUP))
     #accel_host 10.254.1.2
     #accel_host revelation.martyr.eu.org
     #accel_port 80
     #accel_port 0
     #
     # Omit Host: accel_host:accel_port in Header
     # to provide own Host: header via db/filter.header.add?
     # (default: yes)
     #accel_user_host no
     #accel_user_host yes

     # keep alive on client to proxy connections
     # (enabled by default)
     #use_keep_alive no
     #use_keep_alive yes

     # allow CONNECT request to other than port 443 (HTTPS)
     # (CONNECT enables HTTPS proxying)
     # (disabled by default for security)
     #unrestricted_connect yes
     #unrestricted_connect no

     # timeout for CONNECT requests in seconds
     # (default: 5)
     #timeout_connect 20
     #timeout_connect 5

     # backlog size for accept()
     # (default: 4)
     #backlog_size 16
     #backlog_size 4

     # directory to store file ffproxy.pid (with ffproxy pid inside)
     # (default: /var/run)
     #pid_dir /tmp
     #pid_dir /var/run

VERSION

     This manual documents ffproxy 1.6 (2005-01-05).

FILES

     /etc/ffproxy/ffproxy.conf default configuration file

     sample.config sample configuration file

SEE ALSO

     ffproxy(8), ffproxy.quick(7), regex(7), re_format(7), syslogd(8), chroot(2), kill(1)

								    Jan 5, 2005
All times are GMT -4. The time now is 06:11 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy