Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 26th November 2009
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,787
Default OpenBSD IRC channel chat about DMZ and vlan

Thu Dec 11 20:54:12 CET 2008

20:49 < dcolish> what about dmz boxes with a lan and a dmz interface?
20:49 < dcolish> we have some of those for our load balancers
20:49 < jdixon> oh god no
20:50 < jdixon> oh HELL no
20:50 < NicM> that seems a bit, well
20:50 < dcolish> i thought so
20:50 < jdixon> if you have boxes with a leg on the lan, it's NOT a DMZ
20:50 < NicM> that was the phrase i was looking for

20:51 < jdixon> where are your app servers?
20:52 < jdixon> please don't say the lan
20:52 < jdixon> please oh please
20:52 < jdixon>
20:52 < dcolish> sorry, they're on the lan
20:52 < jdixon> why>
20:52 < jdixon> ?
20:52 < dcolish> maybe because they mount an nfs share thats on the lan? i'm not totally sure, the design was not mine
20:53 < jdixon> ugh
20:53 < jdixon> it sounds like they should be in their own lan
20:53 < jdixon> s/lan/dmz/
20:53 < dcolish> do you have separate dmz's for app servers and load balancers?
20:53 < dcolish> s/do/would
20:54 < jdixon> I have separate dmz's based on class of access required
20:54 < jdixon> i.e., a financial dmz
20:54 < jdixon> web dmz
20:54 < jdixon> dev dmz
20:54 < jdixon> etc
20:54 < jdixon> use vlans
20:54 < dcolish> dmz's dont have to have public static ip's right?
20:55 < NicM> that is smart, then you can control privilege centrally and carefully on the firewall
20:55 < jdixon> NicM++

20:58 < dcolish> can i still trunk with vlans?
20:58 < jdixon> sure
20:58 < jdixon> physical + physical -> trunk -> vlan -> carp
20:59 < dcolish> are there any limits to the # of vlan or carp devices i can define?
20:59 < jdixon> I think 255 carp
20:59 < jdixon> not sure about vlan
20:59 < dcolish> that'll be more than enough
20:59 < jdixon> (per segment)
21:00 < jdixon> even though you don't need to, you might want to use a different vhid for each carp interface
21:00 < dcolish> in the past thats how i've defined them
21:00 < jdixon> in the past I've used "vhid 1" on carp0, carp1, carpN because they were on different physical segments
21:01 < jdixon> but I've seen rare circumstances of switches that "leak" the packets between networks
21:01 < jdixon> specifically, avaya
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

carp, dmz, trunk, vlan

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cam Chat Software for Solaris whispersGhost Solaris 5 6th May 2009 04:45 PM
How to make it work with VLAN-trunking? Seb74 OpenBSD Security 4 28th June 2008 02:08 PM
Audio Chat for Solaris? whispersGhost Solaris 9 19th June 2008 12:09 AM
mplayer osd - set label of audio channel Grizzly FreeBSD General 0 7th June 2008 08:37 PM
Bridge VLAN + Catalyst espenfjo FreeBSD General 2 6th June 2008 05:16 PM

All times are GMT. The time now is 04:36 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick