Here is my setup. I have a roadrunner with a Cisco UBR900 router that is connected to a 3com officeconnect firewall/DMZ. I only have one "live" IP for my entire network. I have set up an Apache web server that I want to put on the DMZ port of my firewall. This is where I'm stumped, does the DMZ need its own live IP? I have read all of the documentation for the firewall but that only served to confuse me further. Anybody with knowledge of these please help me, or suggest other alternatives.

I was under the impression that I could just give my Apache server a valid IP on my private network and then the firewall would just direct all port 80 traffic to the private IP of the server but I dont understand what settings I need to play with to get that to happen.

If the web server is on the same subnet that your lan is on then it's not really a DMZ. My understanding of most SOHO firewalls is that in order for a DMZ to function the participants behind the firewall should have valid _public_ IPs on the same subnet as the 'outside' port of the firewall.

If you're using NAT masquerading then you would need to segment the 'public' servers from your 'private' LAN. A screened subnet can more or less achieve that.
So your net would look something like this
Lan pool would be on 192.168.0.0
NAT dmz would be on 192.168.99.0
Note that in order for these to be effective you need to make sure that you are using forwarding rules (ie: in iptables/chains) to get in/out rather than static routes.


Have a look at http://csrc.nist.gov/publications/ni...10/node58.html

It was the first result from a google search for 'screened subnet example'

Ok...I'm foggy on the valid public IP part. Lets say that my "live" IP is 50.50.50.51, that gets natted and the Ip that I see as my gateway on the inside of my firewall is 50.50.50.52. Now the 50.50.50.52 is a valid public IP and may be somebody elses live IP but that doesnt matter because its not "seen" on the net right? So if I understand this correctly, the web server on the DMZ port will need an ip like 50.50.50.55 that is a valid public ip but it is still not "seen" on the net. The firewall has to be configured to pass port 80 traffic on the 50.50.50.51 live IP to 50.50.50.55 on the DMZ port? Im making alot of assumptions here so please be patient with me. Am I even in the right neighborhood? Right now the server is accessible fron the net but I had to allow port 80 traffic to pass to that server on the inside of my LAN. Im real uncomfortabe about that. I basically want to do the same thing but not have that traffic getting that far into my network.