| DMZ VPS on LAN HN ? [message #9626] |
Sun, 14 January 2007 05:13  |
bards1888
Messages: 10
Registered: January 2006
|
Junior Member |
|
|
I have a 3 legged firewall with INTERNET, LAN and DMZ segments/legs. The LAN and DMZ have their own switches.
I have openvz stable 2.6.9-023stab037.3-smp running on a 'LAN' server that is Centos 4.4 x86_64. Everything is working well and I can create VEs successfully.
I'm now trying to consolidate my physical DMZ host (mail/web server) onto a VPS running on this 'LAN' server. The LAN server has 2 nics eth0 (LAN) and eth1 (DMZ). I have physically connected eth1 to the DMZ switch and eth0 is connected to the LAN switch.
I've brought eth1 up with an IP address of the DMZ segement and also assigned a VE with another DMZ segment IP address. I had to changed the vz.conf so that;
VE_ROUTE_SRC_DEV="eth1"
This works perfectly and the VE looks like it lives in the DMZ.
From a security point of view I'm a bit worried that it would appear as though I *have* to bring up eth1 on the HN with an IP address for this to work. Obviously I'd like if I could run this without need an IP on eth1.
I brought eth1 up without an IP to see if that would work bu it appears not to.
Do I need to enable proxy arp for this work ?
Do I need to use iptables to restrict access to the eth1 interface but allow access to the VE's IP address ?
Or am I trying to do something that wont work the way I want it to ?
Any help or assistance would be appreciated.
Cheers.
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
