DS10, dual NICs to both LAN and DMZ of a firewall; doable?

From: Rich Jordan (jordan_at_ccs4vms.com)
Date: 04/30/04 

Date: 30 Apr 2004 14:46:51 -0700

We have an installed DS10 (VMS V7.3-2, TCPIP V5.4) running custom
apps. Its on a NAT'ed LAN behind a firewall that also provides a DMZ
port. All access to the Alpha is from the LAN (or effectively so
through VPN tunnels) except for inbound/outbound SMTP; the Alpha is
the public email server for the domain and has a corresponding hole in
the firewall for port 25 to it.

We need to run a webserver (HPSWS) providing public, but fairly static
info (no CGI, PHP, yadayada) on the Alpha. We can open up port 80 on
the firewall and direct it to the current LAN port on the Alpha,
obviously, and we've had zero problems doing so at other locations
with the same firewall box; no security issues. However I was
wondering if there is any way (or any benefit) to use the second
ethernet port with an available public address hooked up to the DMZ on
the firewall. The DS10 would NOT be set up as a router between the
two interfaces.

I'm not sure this can work, since essentially you'd have two different
routing tables, and/or the need to tell services to use a different
default route for one interface than for the other. I'm still reading
through the TCPIP V5.4 docs, but I don't think that the capability is
available. We can tell each of the other services (SMTP, Telnet, etc)
to only accept connections on the primary interface, while leaving
HPSWS working on both with the set service/address command, though I
dislike doing that with the 'standard' services. Alternatively we
could tell the standard services to reject connections from addresses
outside the LAN and VPN connected sites, while HPSWS accepts them all,
but the routing issues would remain either way.

So I don't think its possible. But just in case I'm wrong, input
would be appreciated.

Rich Jordan
CCS

Relevant Pages

  • Re: XP Firewall blocking Linksys Print Server
    ... When I turn on the the Internet Connection Firewall, ... I added an exception for port 9100. ... > IPX packets that this Linksys print server wants to use. ... protect the machine and set rules for LAN side IP. ...
    (comp.security.firewalls)
  • Re: Can only connect to local RWW, over internet cannot
    ... This if from my working LAN. ... I am testing this tool from my own lan and says 4125 port is closed, ... It has a hardware sonicwall firewall. ... move to the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Help! 1 to 1 NAT on Linksys RV082 opens up firewall!
    ... It opens up ALL ports to the LAN machine you are 1-to-1 NATing. ... need multiple servers on the same port that can't overlap i.e. ... buying a firewall if I just end up going around it. ... I talked to Linksys support today in California and was ...
    (comp.security.firewalls)
  • Re: Connecting to more then one computer on a network
    ... LAN then it comes down to either an addressing issue (which probably is not ... Double check port forwarding for TCP Port 3390 on the company ... firewall manufacturer and model. ... particular PC is blocking incoming Remote Desktop requests from IP ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)