OpenBSD IRC channel chat about DMZ and vlan
Thu Dec 11 20:54:12 CET 2008
20:49 < dcolish> what about dmz boxes with a lan and a dmz interface?
20:49 < dcolish> we have some of those for our load balancers
20:49 < jdixon> oh god no
20:50 < jdixon> oh HELL no
20:50 < NicM> that seems a bit, well
20:50 < dcolish> i thought so
20:50 < jdixon> if you have boxes with a leg on the lan, it's NOT a DMZ
20:50 < NicM> that was the phrase i was looking for
20:51 < jdixon> where are your app servers?
20:52 < jdixon> please don't say the lan
20:52 < jdixon> please oh please
20:52 < jdixon>
20:52 < dcolish> sorry, they're on the lan
20:52 < jdixon> why>
20:52 < jdixon> ?
20:52 < dcolish> maybe because they mount an nfs share thats on the lan? i'm not totally sure, the design was not mine
20:53 < jdixon> ugh
20:53 < jdixon> it sounds like they should be in their own lan
20:53 < jdixon> s/lan/dmz/
20:53 < dcolish> do you have separate dmz's for app servers and load balancers?
20:53 < dcolish> s/do/would
20:54 < jdixon> I have separate dmz's based on class of access required
20:54 < jdixon> i.e., a financial dmz
20:54 < jdixon> web dmz
20:54 < jdixon> dev dmz
20:54 < jdixon> etc
20:54 < jdixon> use vlans
20:54 < dcolish> dmz's dont have to have public static ip's right?
20:55 < NicM> that is smart, then you can control privilege centrally and carefully on the firewall
20:55 < jdixon> NicM++
20:58 < dcolish> can i still trunk with vlans?
20:58 < jdixon> sure
20:58 < jdixon> physical + physical -> trunk -> vlan -> carp
20:59 < dcolish> are there any limits to the # of vlan or carp devices i can define?
20:59 < jdixon> I think 255 carp
20:59 < jdixon> not sure about vlan
20:59 < dcolish> that'll be more than enough
20:59 < jdixon> (per segment)
21:00 < jdixon> even though you don't need to, you might want to use a different vhid for each carp interface
21:00 < dcolish> in the past thats how i've defined them
21:00 < jdixon> in the past I've used "vhid 1" on carp0, carp1, carpN because they were on different physical segments
21:01 < jdixon> but I've seen rare circumstances of switches that "leak" the packets between networks
21:01 < jdixon> specifically, avaya
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|carp, dmz, trunk, vlan|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Cam Chat Software for Solaris||whispersGhost||Solaris||5||6th May 2009 04:45 PM|
|How to make it work with VLAN-trunking?||Seb74||OpenBSD Security||4||28th June 2008 02:08 PM|
|Audio Chat for Solaris?||whispersGhost||Solaris||9||19th June 2008 12:09 AM|
|mplayer osd - set label of audio channel||Grizzly||FreeBSD General||0||7th June 2008 08:37 PM|
|Bridge VLAN + Catalyst||espenfjo||FreeBSD General||2||6th June 2008 05:16 PM|