Originally Posted By: jmwking
Got it now.

Didn't ask earlier: do you need DHCP in your dmz?

I don't think so. I only have a machine or two going in the dmz, so I don't mind setting up static routes for them.

Quote:
In a dual setup, getting the DHCP requests and replies through the inner router/firewall would require some sort of permission/forwarding setup on it (I don't know if there are meaningful dhcp exploits) but otherwise should work fine.

It would certainly make the configuration more complex. So it comes down to paranoia vs. complexity... smile

Quote:
That said, I'm not sure how much having two firewalls really helps - though I'm often that figurative belt-and-suspenders guy. I think most trouble gets pulled back in via phishing or malware from actively visited web sites (and their ad servers), rather than pushed in through a compromised firewall. Educated users rock!

Well, the second firewall is less about the first firewall being compromised, and more about the a machine in the DMZ being compromised, and then being used as the launching point for the internal network.