Re: Firewall

To: "debian-user" <debian-user@lists.debian.org>
Cc: "Derek Wueppelmann" <dwueppel@libraxus.com>
Subject: Re: Firewall
From: Marc Dubrowski <marcus@kbinirsnb.be>
Date: Wed, 28 Jun 2000 16:44:08 +0200
Message-id: <[🔎] 00062816553403.04703@px20_115>
Reply-to: marcus@kbinirsnb.be
In-reply-to: <[🔎] 004301bfe10d$5fd39730$726bc3d1@libraxus.com>
References: <[🔎] 004301bfe10d$5fd39730$726bc3d1@libraxus.com>

On Wed, 28 Jun 2000, Derek Wueppelmann wrote:
> Yet another problem I have been having with a Debian install. Sorry to keep
> pestering.
> 
> Here is my problem stated simply. I need to create a firewall between our
> internal network and the internet while still allowing the machines inside
> the network some limited access out and in. i.e.. keep our webservers etc.
> inside the firewall.
> 
> I have two network cards installed in my machine and I have followed the
> FIREWALL-HOWTO to the "t". here is my configuration
> 
> eth0 xxx.xxx.xxx.1 :Connected to the internal network
> eth1 xxx.xxx.xxx.2 :Connected to the internet.
> # note that the xxx.xxx.xxx are the same subnet since we are allocated a
> class C domain.
> 
> my routing table looks similar to this:
> DESTINATION    GATEWAY    GENMASK        ...     IFACE
> xxx.xxx.xxx.254        0.0.0.0        255.255.255.255            eth1
> xxx.xxx.xxx.0            0.0.0.0        255.255.255.0                eth0
> 0.0.0.0               xxx.xxx.xxx.254  0.0.0.0
> eth1
> 
> Sorry for the poor formatting.
> 
> Right now all I can do is access both of the IP addresses from either the
> internet or the internal network. However no matter what I do I can't get
> past the firewall (it works too well). I have enabled PI forwarding in the
> kernel and set the IP_forward file to 1 as well as set the forward ipchains
> to wide open, as in:
> 
> ipchains -A forward -j ACCEPT
> 
> as the only rule.
> 

What you need is subnetting your class C network in several smaller subnets.
The first one would be x.x.x.0/255.255.255.252 (or 248 if you want several
addresses outside your firewall, for an i.e. Intrusion detection system)
The other ones would fit your needs. 

The firewall would then have a NIC (eth0) in the first subnet (x.x.x.0/30
(or/29)), and the second one (eth1) would be in any other.

Then, you can proxy-arp the different subnets or ask your ISP to route all
trafic to your subnets through eth0. That's what I've done, as it's easier for
me to manage than to modify my arp table each time I add/remove a computer.
I've been told that ISP usually don't make problems for routing.

Enjoy !
-- 

Marc Dubrowski					
Kind of a Network Administrator	
K.B.I.N.I.R.Sc.N.B.				
29 rue Vautier B-1040 Brussels, Belgium

Reply to:

Follow-Ups:
- Re: Firewall
  - From: "Derek Wueppelmann" <dwueppel@libraxus.com>

References:
- Firewall
  - From: "Derek Wueppelmann" <dwueppel@libraxus.com>

Prev by Date: Firewall
Next by Date: netscape 4.73 & fortify (potato)
Previous by thread: Firewall
Next by thread: Re: Firewall
Index(es):
- Date
- Thread