Ok, sounds like put the class C on the DMZ or peripheral net and
masquerade to the internal net. I'll give it a try.
Henry Hollenberg speed @
barney .
iamerica .
net
On Tue, 24 Feb 1998, Bennett Todd wrote:
> >I was wondering how I should set up the IP networks for a screened subnet
> >type firewall. I have a single class C and am setting up a domain now.
> >I was wondering if I should split my class C in two with subnetting and
> >put half the IP's on the perimeter net (DMZ) and half on my internal net.
>
> How to assign IP addresses goes right along with the other
> implementation decisions in setting up your firewall; you have various
> choices, and they have implementation costs, user convenience costs,
> security features, and resource consumption features.
>
> For instance, in the settings where I've worked, a good choice seems to
> be using RFC 1918 addresses throughout the inside, and doing masquerade
> and/or NAT on the borders; this just conserves publicly-routable IP
> address space, an increasingly precious commodity.
>
> However, if I were setting up a firewall at e.g. an ISP, I'd only be
> using RFC addresses for the admin net (which would lie behind a real
> muscular firewall) and would leave the large bulk of the machines out
> with publicly-routable addresses, behind nothing but a screening router.
> Actually, that'd still look like my favourite layout, only with most of
> the iron in the DMZ.
>
> Basically, if a machine tends to need direct connectivity to the
> internet --- e.g. because it's a firewall, or a public server --- then
> put it in publically-addressable space; if it doesn't need it, don't
> waste that space. At least that's how I tend to want to lay out nets.
>
> -Bennett
>
References:
|
|
