-----BEGIN PGP SIGNED MESSAGE-----


seth> However, there really isn't any point in having a DMZ with only one 
seth> firewall.

  Seth is using the classic definition of DMZ.
  Some companies argued for doing:

  router
   |
   |
 /-+-\
 |fwA|
 \-+-/
   |
   | "DMZ"
   |
 /-+-\
 |fwB|
 \-+-/
   |
   |
  private

This was from companies that couldn't cope with having three interfaces on
their firewall. (because they had an "in" and an "out", and didn't do general
policy).  Usually, fwA was packet filter, fwB was application layer.

Once they figured out how to do "Service" networks (a term which BorderWare
coined, and Milkyway Networks used as well), they then continued to abuse the
"DMZ" term to greater confusion. So, I recommend avoiding the term.

I suggest:

  router
   |
   |
 /-+-\  service network
 |fwA+----------- 
 \-+-/
   |
   |
  private

Put the web server, and possibly the incoming mail server on the service
network. There should be firewall rules that carefully restricts what can be
done *outgoing* from the service network. In particular, you do *not* want to
enable SSH, telnet, or port 80 outgoing by default. The reason? Because once
the service network machines are compromised (you plan on this assumption),
then they can't be used to attack others. You also have to make sure that
you don't permit any traffic from the service network to the private network.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPgTqoIqHRg3pndX9AQGHyQQA6dODNXyzlHjFRkz+opmoxBy61NZG0J/9
ecCH2Mn8LCDwi1c6DbHQaRIsJjUNhOzm13HJO153ruzvW9Hxh9EpN9m6favacX5e
rktReeg0FfIgoKcSOUUYSHYPTS7NQbq5Wn0ZVuelmudoX98XKQslxoCJJ/I7lobo
uTH31ohQ64E=
=PDrJ
-----END PGP SIGNATURE-----