OpenBSD IRC channel chat about DMZ and vlan

[J65nko]

Thu Dec 11 20:54:12 CET 2008

20:49 < dcolish> what about dmz boxes with a lan and a dmz interface?
20:49 < dcolish> we have some of those for our load balancers
20:49 < jdixon> oh god no
20:50 < jdixon> oh HELL no
20:50 < NicM> that seems a bit, well
20:50 < dcolish> i thought so
20:50 < jdixon> if you have boxes with a leg on the lan, it's NOT a DMZ
20:50 < NicM> that was the phrase i was looking for

20:51 < jdixon> where are your app servers?
20:52 < jdixon> please don't say the lan
20:52 < jdixon> please oh please
20:52 < jdixon>
20:52 < dcolish> sorry, they're on the lan
20:52 < jdixon> why>
20:52 < jdixon> ?
20:52 < dcolish> maybe because they mount an nfs share thats on the lan? i'm not totally sure, the design was not mine
20:53 < jdixon> ugh
20:53 < jdixon> it sounds like they should be in their own lan
20:53 < jdixon> s/lan/dmz/
20:53 < dcolish> do you have separate dmz's for app servers and load balancers?
20:53 < dcolish> s/do/would
20:54 < jdixon> I have separate dmz's based on class of access required
20:54 < jdixon> i.e., a financial dmz
20:54 < jdixon> web dmz
20:54 < jdixon> dev dmz
20:54 < jdixon> etc
20:54 < jdixon> use vlans
20:54 < dcolish> dmz's dont have to have public static ip's right?
20:55 < NicM> that is smart, then you can control privilege centrally and carefully on the firewall
20:55 < jdixon> NicM++

20:58 < dcolish> can i still trunk with vlans?
20:58 < jdixon> sure
20:58 < jdixon> physical + physical -> trunk -> vlan -> carp
20:59 < dcolish> are there any limits to the # of vlan or carp devices i can define?
20:59 < jdixon> I think 255 carp
20:59 < jdixon> not sure about vlan
20:59 < dcolish> that'll be more than enough
20:59 < jdixon> (per segment)
21:00 < jdixon> even though you don't need to, you might want to use a different vhid for each carp interface
21:00 < dcolish> in the past thats how i've defined them
21:00 < jdixon> in the past I've used "vhid 1" on carp0, carp1, carpN because they were on different physical segments
21:01 < jdixon> but I've seen rare circumstances of switches that "leak" the packets between networks
21:01 < jdixon> specifically, avaya

[abrahm]

I'm sorry for the up...

However I would like to now where is located that channel? (because it doesn't seem to be the Freenode's one I already know).

Thanks,

A frog-eater

[J65nko]

#openbsd , the one started by Han Boetes.

I haven't been a while there, say hello to Han and to NickM and Tobiasu from me

[abrahm]

Quote:

Originally Posted by J65nko

#openbsd , the one started by Han Boetes.

I haven't been a while there, say hello to Han and to NickM and Tobiasu from me

Ah ok, so #openbsd on Freenode.
I thought it was somewhere else.