Setting up public IP inside firewall: possible?

I have...
- one computer that runs Endian Firewall (EFW)
- one server that runs Linux and virtualized systems
- client computers (Linux, Mac and Windows) on the rest of my network

I want to...
- use EFW at the edge of my network for its monitoring features and
its easy to setup VPN
- make my Linux server publicly accessible

My ISP gives me one (1) static IP address on my cable modem; I can get
more addresses if I pay more (20$/month). I would like, if possible,
to give the Linux server its own IP address and still be able to
monitor it with EFW.

The simple setup would be to connect the Linux server and the EFW to a
switch connected to the cable modem. However, that setup would NOT
allow me to monitor traffic to the server with EFW.

The ideal setup would be to route the traffic through EFW, to a kind
of DMZ; is that possible?

Thanks,
Max

UPDATE:

Am I on the right track if I assume you can bridge two NICs together to
accomplish a transparent DMZ for the server?

Thanks,
Max

P.S.: A diagram of the network will follow in another message.



On 2007-09-05 20:59:02 -0400, Max <(E-Mail Removed)> said:

> I have...
> - one computer that runs Endian Firewall (EFW)
> - one server that runs Linux and virtualized systems
> - client computers (Linux, Mac and Windows) on the rest of my network
>
> I want to...
> - use EFW at the edge of my network for its monitoring features and
> its easy to setup VPN
> - make my Linux server publicly accessible
>
> My ISP gives me one (1) static IP address on my cable modem; I can get
> more addresses if I pay more (20$/month). I would like, if possible,
> to give the Linux server its own IP address and still be able to
> monitor it with EFW.
>
> The simple setup would be to connect the Linux server and the EFW to a
> switch connected to the cable modem. However, that setup would NOT
> allow me to monitor traffic to the server with EFW.
>
> The ideal setup would be to route the traffic through EFW, to a kind
> of DMZ; is that possible?
>
> Thanks,
> Max

It seems the attachment did not get through!

Here is a convinient link to the diagram:
http://picasaweb.google.com/Maxime.P...28243122866082

Cheers,
Max

On 2007-09-06 21:14:08 -0400, Max Plante
<Maxime.Plante+(E-Mail Removed)> said:

> UPDATE:
>
> Am I on the right track if I assume you can bridge two NICs together to
> accomplish a transparent DMZ for the server?
>
> Thanks,
> Max
>
> P.S.: A diagram of the network will follow in another message.
>
>
>
> On 2007-09-05 20:59:02 -0400, Max <(E-Mail Removed)> said:
>
>> I have...
>> - one computer that runs Endian Firewall (EFW)
>> - one server that runs Linux and virtualized systems
>> - client computers (Linux, Mac and Windows) on the rest of my network
>>
>> I want to...
>> - use EFW at the edge of my network for its monitoring features and
>> its easy to setup VPN
>> - make my Linux server publicly accessible
>>
>> My ISP gives me one (1) static IP address on my cable modem; I can get
>> more addresses if I pay more (20$/month). I would like, if possible,
>> to give the Linux server its own IP address and still be able to
>> monitor it with EFW.
>>
>> The simple setup would be to connect the Linux server and the EFW to a
>> switch connected to the cable modem. However, that setup would NOT
>> allow me to monitor traffic to the server with EFW.
>>
>> The ideal setup would be to route the traffic through EFW, to a kind
>> of DMZ; is that possible?
>>
>> Thanks,
>> Max

Hello,

Max Plante a écrit :
>
> Am I on the right track if I assume you can bridge two NICs together to
> accomplish a transparent DMZ for the server?

Yes, this is one possible solution. What kind of monitoring are you doing ?

On Sep 7, 10:44 am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> Max Plante a écrit :
>
>
>
> > Am I on the right track if I assume you can bridge two NICs together to
> > accomplish a transparent DMZ for the server?
>
> Yes, this is one possible solution. What kind of monitoring are you doing?

Basically, I like Endian Firewall (EFW)'s ntop monitoring web
interface, which shows very detailed per-protocol traffic stats. There
is also interesting intrusion detection (snort) and the traffic
shaping features.

This could also be done with m0n0wall I believe (can anyone confirm?),
but I have no experience with it. Anyway, I'd rather use a firewall
distribution than setup a custom Linux or BSD solution, since the
former is quicker to setup and upgrade.

I have found this concise documentation about m0n0wall:
http://doc.m0n0.ch/handbook/examples...ed-bridge.html

Does anyone know if that solution is adequate if:
1) the ISP hands out IP addresses without a netmask?
2) I use Endian Firewall? If so, how?

Thanks,
Max