On Fri, 15 Jul 2005, Matt Bazan wrote:

> Is there a preferred method of setting up a Internet facing screened
> subnet and the use of public or private IP addresses? Looking at
> redesinging our DMZ to only include public resources (www, smtp, imap,
> ftp). Presently we use a private IP address range for this that is
> NAT'ed at our firewall. Any reasons to change this policy to using
> public IPs in the DMZ? Thanks,


If you're NATing to your internal network, then a rework is necessary-
public stuff should be on its own (preferably) physical subnet.

IP addressing doesn't matter much, since you'll be letting stuff through
the most likely exploit vectors anyway.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards