Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: two network
« previous next »
Pages: [1]   Go Down

two network

  • 5 Replies
  • 1259 Views

kma

two network
« on: April 22, 2004, 05:04:02 PM »
Hi all,,,,

I have downloaded SME 6.0.1,Install and still testing..

I am new to SME and already used Smoothwall, IPCOP and Freesco.

I have some question about SME and looking advice and help..

I have two LAN.

LAN1 = 192.168.1.0   50 Computers
LAN2 = 192.168.20.0  80 Computers

I would like configure SME as follows..

LAN1 need full access internal mail and only 15 PC need to access Internet..

LAN2 need full access internal mail and only 5 PC need to access Internet..

LAN1 should have full access to LAN2 but LAN2 should not access to LAN1..

in above mentioned scenario hw I configure SME..

Thanks to all..
Logged

Offline electroman00

  • *****
  • 491
  • +0/-0
two network
« Reply #1 on: April 22, 2004, 05:49:42 PM »
Sounds like you want to have a DMZ on your sme.

You can hack the sme to do that, however you might find it easier to put the sme on the dmz of the smoothie or IPcop.

I don't know if there is a RPM for sme DMZ.
I haven't looked for one, if you find one let us know how it works.

Later
Logged

PhilV

two network
« Reply #2 on: April 22, 2004, 06:44:27 PM »
Quote from: "electroman00"
I don't know if there is a RPM for sme DMZ.


Ok I'm sorry, I'm a bit of a noobie to this, but the above looks like a code of acronyms!

Ok I know sme is the Server, and RPM is a package we can download, but DMZ?

Thx,

Phil
Logged

Offline Boris

  • *
  • 783
  • +0/-0
two network
« Reply #3 on: April 22, 2004, 10:59:35 PM »
Simply put, DMZ is DeMilitarized Zone. Separate network accessible via firewall controlled rules. Less trusted then internal LAN. Usually accessible from outside and inside, but not allowed to connect directly  to inside LAN computers. Requires separate network adapter on the firewall and advanced firewall configuration. SME doesn’t have facility for easy configuration of DMZ and wherefore different firewall with DMZ option was proposed.
Personally for the network of this size and requirements that you have, I would choose one of the low cost professional firewalls like gnatbox (www.gta.com), but ipcop will do basic as well.
Logged
...

Anonymous

two network
« Reply #4 on: April 22, 2004, 11:34:08 PM »
Let me see if I can answer this without making a ass
of myself.

DMZ = DeMilitarized Zone aka No Firewall Zone

On a Smoothie (aka Smoothwall)or IPcop you can install a third NIC aka Network Interface Card aka orange that allows you to connect your server to the internet and it will not be firewalled unlike the green nic which is firewalled. There is full access to the orange(DMZ)from green (lan) and no access from orange to green on a default setup. One can access orange to green via pinholes, however that reduces the effectiveness of the green firewall and should be undertaken with caution.

So in short the DMZ is where you can connect a web server and not fight the firewall intrusion battles.

DMZone = No Firewall Zone

So having your server on the DMZ is somewhat exposed and other security measures need to be taken into consideration on the server side.

To say it's almost imposible to run a effective webserver on a smoothie or ipcop on green is pretty much the way it is, unless your skilled at mods and are willing to give up some security on your (lan client) side which is analogous to shooting yourself in the foot.

Considering a smoothie is pretty much intrusion bullet proof on the green side.

Why would one want to put a server on the green....da!

Remember when you run a server to the internet you have to open ports which will expose the network.

Nobody says you have to expose your entire network.

Carefully expose your servers and bullet proof the lan is the concept.

DMZ is just a way of limiting (client lan side)exposure when connecting a server and interconnected lan to the same internet connection.

As far as the sme server, I haven't looked to see if there are mods or a RPM for DMZing (adding orange nic)to a sme box, I don't have a need here to do that.

The sys here is....

A daul wan router load balanced with Smoothie and backup SME's hanging on to Soothie's orange.

Primary Sme hanging on to the router the for the Web ride.

I set it up like that so I can turn orange on/off (backup servers) to the internet when the primary goes down and it is software controlled from a watchdog system.
There's no sense to letting them root the backups too.

Backup servers are only online when primary goes down
and the watchdog see's it and configs the smoothie orange back on (backup servers online).

Also the lan side smoothie green shutsdown (crontab)at midnight and comes back up at 8am limiting exposure of any kind when nobodies using the clients.
So if I can't sleep at 2am a simple "redup" command does the trick.

So nothing is exposed without a good reason, why is that, well let's just say connect to the internet and I'm very sure you'll find out soon enough.

Now you know what a DMZ is and how one might use it.

So why did I make an ass of myself here.... so you can see there are many ways to skin a cat.

MEOW.....
Logged

Offline electroman00

  • *****
  • 491
  • +0/-0
two network
« Reply #5 on: April 22, 2004, 11:46:09 PM »
Well login timed out again and Boris beat me to it.

Also made a bobo.

The "redup" command should read "greenup/greendn".

"reddn" shutsdown everything but the pri web server.

"redup/reddn" is just in case a intrusion is detected or I need to put the sys down.

MEOW
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. General Discussion (Legacy)
  4. Topic: two network