Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
SDN 101: An Introduction to Software Defined Networking
Discover the advantages of SDN.
SDN has quickly become one of the hottest trends in IT. But not all SDN solutions offer real software-defined functionality. As more enterprises consider SDN, they want to know, “What is SDN? And what are the real benefits?” If you're ready to explore the advantages of SDN, and want to know how it should be implemented within your enterprise, start by reading our introductory white paper.
Click Here to receive this Complete Guide absolutely free.
I have a DMZ with two firewalls (Zentyal). The second one protects the LAN from the internet and DMZ. My question is, should the second firewall mark the DMZ interface as "External" and therefore be doing NAT? Or should I mark it as "Internal" and create the required rules in the firewall?
I think you are going to have to provide more details on what you are doing and what you want an answer to. I have not dealt with a zentyal firewall before so not sure if there is some special requirements. But in general you should not have to NAT unless you design your network in a way that requires it. eg) you are using a private network and trying to talk to the internet. Their are many different NAT examples. Then as far as DMZ,Internal, External These are just labels you can call it whatever you like normally. Personally if this was my network I would probably use 1 firewall(s) with three interfaces. On Internet facing one for your DMZ and one for the rest of your LAN. 1 firewalls being a redundant pair. Let us know a little more information on what you are looking for.
I think you have a software distribution that can act as a few devices.
Zentyal Linux small business server can be configured as a Gateway, Unified Threat Manager (UTM), Infrastructure Manager, Office Server, Unified Communications Server or a combination of them.
For the most part you would never want to use a DMZ. In a normal setup, you set some nic as the external nic. Then you set one or more as internal. Between the two you configure the firewall and rules and logs and such so that the two connect.
Thanks both for your replies. So if I understand correctly, it doesn't really matter / it's a design choice? What are the pros and cons? I'm guessing it uses more resources to do NAT the whole time but provides a bit more security by way of hiding protected computers IP addresses etc.?
I currently have the DMZ interface on the second-layer firewall marked as "External" which automatically does NAT and implements the firewall rules. I think I would prefer to mark it as "Internal" (no changes) and manually enter the firewall rules with no NAT. Do you see any problems with this or should I keep the NAT?
Yes it is a design choice. I am still not sure about your design and what you are doing. To really give an answer I need to understand your IP addressing. Are you using all public IP's or using Private IPs. If you are using all public IPs for your computers there is in my "opinion" no reason to do NAT. Some people like it though as they feel more secure with it. Do as you wish. If you are using private IP's you are going to have to do NAT to get to the Internet, but at that point you do not have to do NAT to your DMZ. Your DMZ can route between the private network and public network without using NAT. NAT can be troublesome for some protocols, but if you prefer the "security" of NAT then you might want it.