dhcpd in dmz ?

We currently have one server that provides dhcpd, bind, smtp, imap, web
.... for our LAN. Now we want to open imap/web for access from the
outside too and think about moving this server to the DMZ.

Does that make sense? Is it technically possible with common firewalls?
(at the moment we use a softwarefirewall, but we think about switching
to a hardwarefirewall like the zyxel ZyWall50) Especially dhcpd bothers
me, cause I dont have any idea if it is possible to "open" a door for
arp between the DMZ and the intranet. To me it sounds like this would
spoil the whole sense of DMZ.

any comments highly appretiated,
thnx,
peter




--
http://www2.goldfisch.at/know_list

On 2004-10-27, peter pilsl <(E-Mail Removed)> wrote:
> Does that make sense?

Not really, no... if you want to put a server available on the
internet take out everything that is not needed to be available.
In other words: get another machine for that.

Davide

--
If Bill Gates is the Devil then Linus Torvalds must be the Messiah.

On Wed, 27 Oct 2004 13:09:50 +0200, peter pilsl <(E-Mail Removed)> wrote:
>
> We currently have one server that provides dhcpd, bind, smtp, imap, web
> ... for our LAN. Now we want to open imap/web for access from the
> outside too and think about moving this server to the DMZ.
>
> Does that make sense? Is it technically possible with common firewalls?
> (at the moment we use a softwarefirewall, but we think about switching
> to a hardwarefirewall like the zyxel ZyWall50) Especially dhcpd bothers
> me, cause I dont have any idea if it is possible to "open" a door for
> arp between the DMZ and the intranet. To me it sounds like this would
> spoil the whole sense of DMZ.

From the view of SuSEfirewall2 a DMZ should be public IPs on a separate
nic (which might or might not be allowed direct communication with LAN).
Although, broadband routers have the view that a DMZ is a single IP that
receives all incoming ports not specifically forwarded to other IPs.

But in order for a server to work, it should have a static IP (so your
firewall knows where to forward incoming public traffic). You can assign
a static IP using dhcp based on MAC address. But much easier to simply
configure the server with static IP, gateway and DNS.

peter pilsl wrote:
>
> We currently have one server that provides dhcpd, bind, smtp, imap, web
> ... for our LAN. Now we want to open imap/web for access from the
> outside too and think about moving this server to the DMZ.
>
> Does that make sense? Is it technically possible with common firewalls?
> (at the moment we use a softwarefirewall, but we think about switching
> to a hardwarefirewall like the zyxel ZyWall50) Especially dhcpd bothers
> me, cause I dont have any idea if it is possible to "open" a door for
> arp between the DMZ and the intranet. To me it sounds like this would
> spoil the whole sense of DMZ.
>
> any comments highly appretiated,
> thnx,
> peter

In principle, it's possible to run a DHCP server on the
computer and limit the UDP ports 67 and 68 (used by DHCP)
to the internal network only.

There is no sense to put a DHCP server on a server in real
DMZ with a separate local network from the internal net:
DHCP does work only in the local network, if there are
no relay servers.

So, if you're insisting to open your firewall/router/Web
server/DHCP server to the outside, it is possible, but
not as secure as a separate server in a DMZ net separated
from both the internal and the external networks.

HTH

Tauno Voipio
tauno voipio (at) iki fi