Re: 3-legged firewalls, routing between legs, the "DMZ"

From: Berk S. Daemon (
Date: 02/03/02

From: "Berk S. Daemon" <>
Date: Sun, 03 Feb 2002 07:25:16 GMT

"Chris" <> wrote in message
> Based on suggestions and reading from these newsgroups, I have decided to
> implement a three-legged firewall using OpenBSD, NAT, and PF for our
> company.
> The setup should be familiar:
> internal network (nat)---- nic1 - OpenBSD Firewall - nic2 -------- "DMZ"
> |
> nic3
> |
> |
> |
> |
> I'm putting the "DMZ" in quotes because as I understand it, this is not
> like a traditional DMZ-- the machines there will be more open, but will
> still be using internal IP addresses, with packets directed to them by the
> firewall.
> The internal network will be staff workstations, including office users
> developers, the DMZ will be web, email, Exchange, SQL server, MySQL
> servers.
> My question is about routing between the workstations and the DMZ. Is it
> unacceptable risk to open up the traffic so that those two legs can talk
> each other without any interference? Or should I create rules for each
> service and for each station for each need (shared drives, developers
> source control and speaking to the db servers, etc)?
> Also, are there any machines that need to be completely outside of the
> firewall? It seems like there is almost no need for a traditional DMZ with
> routable IP addresses anymore, except possibly for some videoconferencing
> applications.

In my opinion, seeing as you understand what a "DMZ" is, I'd still recommend
making a seperate 'perimeter network' if possible.

If not, then maybe look into doing transparent bridging, have DMZ behind
that as well as NAT Router behind it or on DMZ as well.

As an example, if you were to setup the NAT Router on the DMZ don't allow
inbound traffic to the NAT router, only outbound with keep state. In
essence, running two firewalls, one on the bridge as the main choke point
and one on the NAT Router.

Transparent Bridging Firewalls certainly give you a lot of potential.
Atleast this way you can still run your 'public' services on a 'public'
network behind a firewall still. See, if you think about it... If some how
that NAT Router/Firewall gets compromised, that's it! The whole network is
theirs from the NAT box itself! Internal/External and if they gain root,
then it's open to the world - ipf -D / pfctl -d or what not...

Transparent Bridging Firewall (+ NAT Router behind it too) you get the best
of both worlds. No need to run public services on or behind NAT (just use
your normal block of non-rfc1918 IPs) with the beaty of knowing that the
main firewall in of itself is 99.9% uncompromisable but the NAT Router,
well, there's still always a chance but the bridge will still protect ports
you specify regardless of the NAT box being compromised.

I hope I made sense here, and I'm not trying to tell you what to do or that
anything is wrong with your setup but rather just maybe some ideas you
should consider for additional security.

PS: Sorry, I had one too many beers if I am unclear in my writting... ;-)

Relevant Pages

  • Re: Advice on a firewall distro
    ... but as a NAT router with only one machine (the new linux ... ZyWALL unless they were intended for one of the servers (in the DMZ of the ... linux firewall). ...
  • VPN-Router hinter NAT
    ... Von der Planung her soll eine Firewall an die Front, ... dahinter liegende DMZ routet. ... Der VPN-Router soll somit in die DMZ wandern und über das Internet ... 500, ESP, IKE NAT-T UDP 4500) von der Firewall durchs NAT an den VPN- ...
  • Re: NAT vs. True Firewalls
    ... not just mean packet filter. ... A firewall can be made up of one or more ... components that can block or filter protocol traffic between two networks. ... So a NAT can be as much part of a firewall implementation as the ...
  • Re: Firewall that will handle 2 ISPs and a DMZ
    ... > Could anyone suggest a firewall or has experience of a firewall that ... Provide full DMZ functionality, by this I mean a DMZ that: ... > firewall but inside a less secure external firewall and not using NAT ... > internet connection and use the other connection for hosting of a web ...
  • Re: Exchange 2003 Front-end supported in DMZ ?
    ... the point is if it's supported when there is a NAT between DMZ and INTERNAL ... Usually In a back-to-to back firewall scenario first firewall(Internet - ... DMZ) it's NAT and second firewall is routing. ...