Firewall and Routing question

To: debian-firewall@lists.debian.org, Gus <gus@getsystems.com>
Subject: Firewall and Routing question
From: ^chewie <chewie@nerp.net>
Date: Fri, 2 Jul 1999 11:38:05 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.10.9907021053220.21833-100000@chef.nerp.net>

Hello, Gus and debian-firewall members.  I see you commented on the
about how to place a firewall between two subnets and yet avoid all
the sticky details of Proxy ARP or NAT.  This interested me because
I'd like to provide firewall services for my (soon to be) externally
visible Internet Servers (F + 1 below), yet not be forced to do an IP
Masquerade schema with all the fancy port forwarding or Proxy ARP (if
possible). I simply want to enforce firewall rules from one location
for the multiple servers.  If I understand you correctly, all I need
to do is add an entry to the routing table of the primary firewall?

The Ascend Pipeline 75 BRI router is already set up to route for the
Internet addresses.  When I got this job, they had EVERY computer of
their network assigned to an Internet address...and no firewall.  The
first thing I did was pull out an old 486 and install Linux to do
firewall, IP Masquerading, and port forwarding using ipchains (Server
2 in the diagram below).  Now, we'd like to add a machine or two to
serve DNS, web, and email outside the internal network.  We could
simply connect the ISDN router to a hub (as it was originally) and add
the server, then let it handle it's (their) own firewall rules.
However, being able to manage one firewall (another retired 486 we
have floating around) would be most desireable.  So, is it really as
simple as adding a route to the firewall?  Take a look at the schema
I've ASCII'ed below.  Pointers?

Internet Network Address: xxx.xxx.xxx.192
Internet Broadcast Address: xxx.xxx.xxx.224
Internet Netmask: 255.255.255.224

Route(?) to add to new firewall:
	route add -net xxx.xxx.xxx.192 netmask 255.255.255.224 \
		gw xxx.xxx.xxx.2

Add same route to 1+2?

          (Internet)------[ISDN] x.x.x.193
                            _|_
                           |   | x.x.x.194
                           | F |
                           |___| x.x.x.196
                          ___|___
                        _|_     _|_  x.x.x.195 (already assigned)
            x.x.x.197  |   |   |   |                 Internet
                       | 1 |   | 2 | -------------------------------
                       |___|   |___| 192.168.1.10    Intranet
                          _______|_____
                        _|_     _|_    |
          192.168.1.1  |   |   |   |   (To Workstations)--->
                       | 3 |   | 4 |
                       |___|   |___|

                           192.168.1.2  


 #	Service(s)
---	---------------------
 F      Primary Firewall (forwarding enabled)
 1	Externally Visible Internet Server (DNS, Web, Mail)
 2      Secondary Firewall (also port-forwarding)
 3+	Intranet Servers and workstations (currently Web, Mail, and
		Apps)

^chewie

http://nerp.net/~chewie  <<--- Check it out!  I'm selling my truck!

Reply to:

Prev by Date: Re: Port forwarding - problem resolved
Next by Date: Re: port redirection
Previous by thread: Re: firewalls for dummies?
Next by thread: Transparency in the firewall
Index(es):
- Date
- Thread