At 9:39 AM +0100 11/30/05, Cornelius Jaeger wrote:
hi dan,
But your tunneling through it. Makes the whole concept moot.
no i'm not.
i have two (2) lines to the internet.
one for the dmz, the other for the lan.
the lan gateway is not in the dmz.
i hope you can open pdf's and that the diagram clarifies.
The diagram seems suspect. Some points Ken points out in his message.
Another biggie is how the WAN side of this diagram is configured, and
very importantly is the WAN side the same network (i.e. subnet)??
We'll also make some presumptions, unless you clarify:
The "DMZ Firewall" is your 3Com router with a DMZ segment. (It would
of course really be helpful to know what model this is as many "DMZ"
thingies in such devices really aren't and are only just a sink for
all traffic not mapped.)
Your DMZ hosts have static, public IP addresses.
First a couple of "understandings" need calcified:
A "Cable Modem" is always "stupid" in the sense that it doesn't do
DHCP or NAT. If it did it would be a different device, or a more
complete device. But a modem does just what it implies.
A DMZ is designed to be quartered off from your LAN, that is it's a
whole separate network segment. Traffic should only be permitted
between the outside world and these hosts ONLY.
Packets destined for your DMZ hosts, which you state have static,
public IP addresses, will get routed through the magic of the
Internet from that warm fuzzy cloud to the 3Com router b/c they're
not the IP address being served by the cable modem, hence you should
have no packets destined for those hosts ever appearing to the XServe
in that picture acting as your LAN gateway.
If traffic destined to DMZ hosts on your LAN at all, you have
invalidated the whole reason for having a DMZ, namely that you're
keeping traffic separate on the two discrete networks.
Now, what is it you think you're trying to do again???
If you're trying to say that packets "coming in" to the XServe from
the Internet should be revectored through the LAN to the DMZ segment
you have a very serious breach of your DMZ.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.iwiring.net/
email@hidden http://www.ustsvs.com/
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
