[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What should I use?


First, thanks for taking time explaining things.
As stated before I am no expert and I appreciate it alot. :)

As mentioned in my previous mail, I was thinking of 'splitting' the
.0-.63 network into several parts.

First a part/zone where all the workstations are.
No connections should be allowed INTO this zone, but all connections
coming FROM the workstations should be allowed.
I think that gives protection to the workers, but still offers enough
freedom to "get out".

The second part should be our servers, like mail and web.
I don't want anyone to be able to connect to any other ports than those
I specify, like SMTP/SSH/HTTP/HTTPS.

And at last a third part where everything is free. Machines in this zone
has no protection/limitiation from the firewall.
This zone also has the Cisco-router which leads to the Internet. (This
router handles our net, .0-.63, today.)

This is why I thought 3 NIC's could be handy. 1 NIC and a hub for each
The only physical connection between the zones would be the Debian-box.

I've read a little about IP-chains, and I think that would do the trick.
And also compiling the kernel with router-functionality could make the
zone's be able to talk to eachother.

Well, this is what I have been thinking about.
Firewall's are for sure not simple things.


Ray Olszewski wrote:
> It is difficult to suggest a solution without knowing what the problem is.
> There are two basic reasons you subnetting your address space:
>         1. To increase effective bandwidth: by separating the LAN
>                 into 2 or more Ethernets, you reduce contention
>                 and collisions. There are other ways to increase
>                 effective bandwidth, though - actually increasing it
>                 (from 10 mbps to 100) is one, and using switches
>                 instead of hubs is another.
>         2. To split the LAN into two or more sections with different
>                 security standards. An example might be a school,
>                 where the admin functions, containing a lot of
>                 confidential data, are protected more than the
>                 academic functions (indeed, are protected from
>                 users *on* the academic side).
> In either case above, you'd put a router between the two network segments.
> In the second (but probablt not the first, that router would also be a
> firewall. If you do want to subnet, your existing addresses are convenient
> in that you can split off .0-.31 and still use your present mail server and
> router addresses (if the mail server were .32, for example, you'd have a
> problem with that).
> If you do subnet, you do need to deal with the fact that the Cisco won't
> know how to find the addresses you place on the other side of the router
> from it. The usual solutions are either to modify the routing table in the
> Cisco (I don't know how; ask a Cisco specialist) or to have the subnet
> router proxy-arp the addresses behind it.
> But since you talk about a Linux router with 3 NICs, you may have in mind
> the idea of firewalling your entire address space and also dividing it in
> two. This causes a slight problem in subnetting, since the Cisco is in the
> address space (or are you proposing the *replace* the Cisco router with a
> Linux router/firewall?).
> Without a better understanding of your goals, I don't think I can be more
> specific than this.
> At 08:42 AM 8/23/00 +0200, Andreas Palsson wrote:
> >Hello.
> >
> >I have been given the task to setup a firewall, but I'm no expert so I
> >have to ask a few questions.
> >
> >I have a Debian box (P166/64) with 3 NIC's (3Com).
> >I have an IP-range from .0 to .63.
> >A Cisco router is the current gateway on .62.
> >A mail/dns-server is placed on .33.
> >
> >
> >What is a good solution with these tools?
> >I've been reading the FW-howto and I think a filtering firewall should do,
> >and maybe splitting the network into a couple of zones.

Reply to: