LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-07-2011, 04:47 AM   #1
5pike
LQ Newbie
 
Registered: Dec 2005
Distribution: Gentoo
Posts: 6

Rep: Reputation: 0
General question about DMZ and NAT


Hi all,

I have a DMZ with two firewalls (Zentyal). The second one protects the LAN from the internet and DMZ. My question is, should the second firewall mark the DMZ interface as "External" and therefore be doing NAT? Or should I mark it as "Internal" and create the required rules in the firewall?

Many thanks,
Andy
 
Old 12-07-2011, 05:14 AM   #2
zooppoop
LQ Newbie
 
Registered: Aug 2005
Posts: 12

Rep: Reputation: 1
I think you are going to have to provide more details on what you are doing and what you want an answer to. I have not dealt with a zentyal firewall before so not sure if there is some special requirements. But in general you should not have to NAT unless you design your network in a way that requires it. eg) you are using a private network and trying to talk to the internet. Their are many different NAT examples. Then as far as DMZ,Internal, External These are just labels you can call it whatever you like normally. Personally if this was my network I would probably use 1 firewall(s) with three interfaces. On Internet facing one for your DMZ and one for the rest of your LAN. 1 firewalls being a redundant pair. Let us know a little more information on what you are looking for.
 
1 members found this post helpful.
Old 12-07-2011, 03:12 PM   #3
jefro
Guru
 
Registered: Mar 2008
Posts: 10,991

Rep: Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355Reputation: 1355
I think you have a software distribution that can act as a few devices.

Zentyal Linux small business server can be configured as a Gateway, Unified Threat Manager (UTM), Infrastructure Manager, Office Server, Unified Communications Server or a combination of them.

For the most part you would never want to use a DMZ. In a normal setup, you set some nic as the external nic. Then you set one or more as internal. Between the two you configure the firewall and rules and logs and such so that the two connect.
 
1 members found this post helpful.
Old 12-08-2011, 06:48 AM   #4
5pike
LQ Newbie
 
Registered: Dec 2005
Distribution: Gentoo
Posts: 6

Original Poster
Rep: Reputation: 0
Hi chaps,

Thanks both for your replies. So if I understand correctly, it doesn't really matter / it's a design choice? What are the pros and cons? I'm guessing it uses more resources to do NAT the whole time but provides a bit more security by way of hiding protected computers IP addresses etc.?

I currently have the DMZ interface on the second-layer firewall marked as "External" which automatically does NAT and implements the firewall rules. I think I would prefer to mark it as "Internal" (no changes) and manually enter the firewall rules with no NAT. Do you see any problems with this or should I keep the NAT?

Greatly appreciate your input and opinions.

Cheers,
Andy
 
Old 12-08-2011, 06:36 PM   #5
zooppoop
LQ Newbie
 
Registered: Aug 2005
Posts: 12

Rep: Reputation: 1
Yes it is a design choice. I am still not sure about your design and what you are doing. To really give an answer I need to understand your IP addressing. Are you using all public IP's or using Private IPs. If you are using all public IPs for your computers there is in my "opinion" no reason to do NAT. Some people like it though as they feel more secure with it. Do as you wish. If you are using private IP's you are going to have to do NAT to get to the Internet, but at that point you do not have to do NAT to your DMZ. Your DMZ can route between the private network and public network without using NAT. NAT can be troublesome for some protocols, but if you prefer the "security" of NAT then you might want it.

Good luck.
 
  


Reply

Tags
dmz, firewall, nat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 04:01 PM
Static NAT / DMZ / VPN question Funky D Linux - Networking 1 10-22-2004 07:17 AM
gateway(NAT),firewall,server,DMZ andjules Linux - Networking 1 11-22-2002 05:55 PM
gateway(NAT),firewall,server,DMZ andjules Linux - Newbie 2 11-22-2002 08:11 AM
NAT and DMZ hosts help ghost-ils Linux - Networking 0 09-07-2001 02:08 AM


All times are GMT -5. The time now is 10:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration