On Fri, 15 Jul 2005, Matt Bazan wrote:

> Is there a preferred method of setting up a Internet facing screened
> subnet and the use of public or private IP addresses? Looking at
> redesinging our DMZ to only include public resources (www, smtp, imap,
> ftp). Presently we use a private IP address range for this that is
> NAT'ed at our firewall. Any reasons to change this policy to using
> public IPs in the DMZ? Thanks,

If you're NATing to your internal network, then a rework is necessary-
public stuff should be on its own (preferably) physical subnet.

IP addressing doesn't matter much, since you'll be letting stuff through
the most likely exploit vectors anyway.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

firewall-wizards mailing list