How do I set up a DMZ (De-Militarized Zone) using RCF?
The architecture suggested with RCF is this: –INTERNET–> firewall –DMZ–> router –MZ–| The router should (of course) make use of ACLs to control DMZ->MZ traffic. Typically, databases would be located on the MZ. Let’s not forget, the ‘standard’ definition of a DMZ is a network with servers offering their services on the Internet. MZ servers should not communicate directly with the Internet, but only with DMZ servers in a very restricted fashion. Using RCF, you have to keep your public IPs on the firewall, so you can’t really load balance with RCF. Note: DMZ support is not working correctly with RCF 5.0.1 and below. Use 5.1b7 or higher instead. To accomplish this, you need to set in /etc/firewall.conf: # De-Militarized Zones (DMZs) are public network segments connected to # the firewall. DMZ servers typically offer public services such as # http, ftp, etc. IP addresses on these segments should be routable on # the internet (no private IPs like 10.0.0.0, 192.168.0.0, etc.). # dmz-int
