firewalls for dummies?

To: debian-user@lists.debian.org, debian-firewall@lists.debian.org
Subject: firewalls for dummies?
From: Stuart Marshall <marshall@sioux.llnl.gov>
Date: Thu, 1 Jul 1999 08:34:53 -0700
Message-id: <[🔎] 19990701083452.A8852@sioux.llnl.gov>
Mail-followup-to: debian-user@lists.debian.org, debian-firewall@lists.debian.org

Hi,

I am planning to setup a firewall for a public network containing 
two class C subnets.  The machine is a potato box running 2.1.10
compiled with the appropriate firewall stuff turned on.  I have 
studied the various HOWTO's (ipchains, firewall, ...) but I think
I am missing something.  My preliminary tests have failed.  I would
really like to get an example of a similar setup from someone that
knows better.

The current network looks like:
                                                      X.Y.(116 or 12).xxx
 upstream router ------------------ switched_hub ---- local_machine_a
 X.Y.116.254                               ||    \___ local_machine_b
 X.Y.12.254 (alias)                 switched_hub ---- ....
                                           ||
                                          ....


I would like it to look like:


 upstream router ------ firewall -- switched_hub ---- local_machine_a
 X.Y.116.254                               ||    \___ local_machine_b
 X.Y.12.254 (alias)                 switched_hub ---- ....
                                           ||
                                          ....

The local machines have addresses in the ranges X.Y.116.3-252 and
X.Y.12.3-252 most of which are unused.  There are ~100 used between
the two subnets.  These are suns, macs, win98/nt pc's, and a few
linux machines.  The local net machines are set up like:

	IPADDR=X.Y.12.16
	NETMASK=255.255.255.0
	NETWORK=X.Y.12.0
	BROADCAST=X.Y.12.255
	GATEWAY=X.Y.12.254

The one test so far was set up as:

 upstream router ------ firewall -- switched_hub ---- local_machine_a
 X.Y.116.254            ^      ^
 X.Y.12.254 (alias)     |      |
                        |      |
        eth0 = X.Y.12.2 |      |_ eth1 = X.Y.12.242

Here local_machine_a was configured as:

	IPADDR=X.Y.12.107
	NETMASK=255.255.255.0
	NETWORK=X.Y.12.0
	BROADCAST=X.Y.12.255
	GATEWAY=X.Y.12.242

I put a "1" into /proc/sys/net/ipv4/ip_forward and set the chain
policies all to ACCEPT hoping to create a simple pass-through system.
No bytes would go from the inside to the outside or the other way round.
It seems like I don't understand the routing system.  Do I need to turn
on "arp" for the interfaces (like "ifconfig eth0 arp").  Also, how is
the upstream router supposed to know about the addresses behind the wall?

Can anyone point me at a source of examples of this sort.  Almost every
example I have seen to date is for a private network using the 192.168.x.x
series addresses.  It seems problematic that my upstream router has
addresses on my subnet (I think it is one interface with an extra aliased
address).

It seems like this is a common situation.  I want to insert a firewall
in a public network where there is currently a single wire (fiber really). 
It should be very similar at most university departments.

Thanks for listening, any advice is appreciated and naturally I can
provide more info,

Stuart

Reply to:

Follow-Ups:
- Re: firewalls for dummies?
  - From: Erwann CORVELLEC <eco@guy-hoquet.net>
- Re: firewalls for dummies?
  - From: Gus <gus@getsystems.com>

Prev by Date: Re: port redirection
Next by Date: Re: Port forwarding - problem resolved
Previous by thread: Re: Port forwarding - problem resolved
Next by thread: Re: firewalls for dummies?
Index(es):
- Date
- Thread