Thread: OpenBSD IRC channel chat about DMZ and vlan
View Single Post
  #1   (View Single Post)  
Old 26th November 2009
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default OpenBSD IRC channel chat about DMZ and vlan
Thu Dec 11 20:54:12 CET 2008

20:49 < dcolish> what about dmz boxes with a lan and a dmz interface?
20:49 < dcolish> we have some of those for our load balancers
20:49 < jdixon> oh god no
20:50 < jdixon> oh HELL no
20:50 < NicM> that seems a bit, well
20:50 < dcolish> i thought so
20:50 < jdixon> if you have boxes with a leg on the lan, it's NOT a DMZ
20:50 < NicM> that was the phrase i was looking for

20:51 < jdixon> where are your app servers?
20:52 < jdixon> please don't say the lan
20:52 < jdixon> please oh please
20:52 < jdixon>
20:52 < dcolish> sorry, they're on the lan
20:52 < jdixon> why>
20:52 < jdixon> ?
20:52 < dcolish> maybe because they mount an nfs share thats on the lan? i'm not totally sure, the design was not mine
20:53 < jdixon> ugh
20:53 < jdixon> it sounds like they should be in their own lan
20:53 < jdixon> s/lan/dmz/
20:53 < dcolish> do you have separate dmz's for app servers and load balancers?
20:53 < dcolish> s/do/would
20:54 < jdixon> I have separate dmz's based on class of access required
20:54 < jdixon> i.e., a financial dmz
20:54 < jdixon> web dmz
20:54 < jdixon> dev dmz
20:54 < jdixon> etc
20:54 < jdixon> use vlans
20:54 < dcolish> dmz's dont have to have public static ip's right?
20:55 < NicM> that is smart, then you can control privilege centrally and carefully on the firewall
20:55 < jdixon> NicM++

20:58 < dcolish> can i still trunk with vlans?
20:58 < jdixon> sure
20:58 < jdixon> physical + physical -> trunk -> vlan -> carp
20:59 < dcolish> are there any limits to the # of vlan or carp devices i can define?
20:59 < jdixon> I think 255 carp
20:59 < jdixon> not sure about vlan
20:59 < dcolish> that'll be more than enough
20:59 < jdixon> (per segment)
21:00 < jdixon> even though you don't need to, you might want to use a different vhid for each carp interface
21:00 < dcolish> in the past thats how i've defined them
21:00 < jdixon> in the past I've used "vhid 1" on carp0, carp1, carpN because they were on different physical segments
21:01 < jdixon> but I've seen rare circumstances of switches that "leak" the packets between networks
21:01 < jdixon> specifically, avaya
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote