Re: What should I use?
First, thanks for taking time explaining things.
As stated before I am no expert and I appreciate it alot. :)
As mentioned in my previous mail, I was thinking of 'splitting' the
.0-.63 network into several parts.
First a part/zone where all the workstations are.
No connections should be allowed INTO this zone, but all connections
coming FROM the workstations should be allowed.
I think that gives protection to the workers, but still offers enough
freedom to "get out".
The second part should be our servers, like mail and web.
I don't want anyone to be able to connect to any other ports than those
I specify, like SMTP/SSH/HTTP/HTTPS.
And at last a third part where everything is free. Machines in this zone
has no protection/limitiation from the firewall.
This zone also has the Cisco-router which leads to the Internet. (This
router handles our net, .0-.63, today.)
This is why I thought 3 NIC's could be handy. 1 NIC and a hub for each
The only physical connection between the zones would be the Debian-box.
I've read a little about IP-chains, and I think that would do the trick.
And also compiling the kernel with router-functionality could make the
zone's be able to talk to eachother.
Well, this is what I have been thinking about.
Firewall's are for sure not simple things.
Ray Olszewski wrote:
> It is difficult to suggest a solution without knowing what the problem is.
> There are two basic reasons you subnetting your address space:
> 1. To increase effective bandwidth: by separating the LAN
> into 2 or more Ethernets, you reduce contention
> and collisions. There are other ways to increase
> effective bandwidth, though - actually increasing it
> (from 10 mbps to 100) is one, and using switches
> instead of hubs is another.
> 2. To split the LAN into two or more sections with different
> security standards. An example might be a school,
> where the admin functions, containing a lot of
> confidential data, are protected more than the
> academic functions (indeed, are protected from
> users *on* the academic side).
> In either case above, you'd put a router between the two network segments.
> In the second (but probablt not the first, that router would also be a
> firewall. If you do want to subnet, your existing addresses are convenient
> in that you can split off .0-.31 and still use your present mail server and
> router addresses (if the mail server were .32, for example, you'd have a
> problem with that).
> If you do subnet, you do need to deal with the fact that the Cisco won't
> know how to find the addresses you place on the other side of the router
> from it. The usual solutions are either to modify the routing table in the
> Cisco (I don't know how; ask a Cisco specialist) or to have the subnet
> router proxy-arp the addresses behind it.
> But since you talk about a Linux router with 3 NICs, you may have in mind
> the idea of firewalling your entire address space and also dividing it in
> two. This causes a slight problem in subnetting, since the Cisco is in the
> address space (or are you proposing the *replace* the Cisco router with a
> Linux router/firewall?).
> Without a better understanding of your goals, I don't think I can be more
> specific than this.
> At 08:42 AM 8/23/00 +0200, Andreas Palsson wrote:
> >I have been given the task to setup a firewall, but I'm no expert so I
> >have to ask a few questions.
> >I have a Debian box (P166/64) with 3 NIC's (3Com).
> >I have an IP-range from .0 to .63.
> >A Cisco router is the current gateway on .62.
> >A mail/dns-server is placed on .33.
> >What is a good solution with these tools?
> >I've been reading the FW-howto and I think a filtering firewall should do,
> >and maybe splitting the network into a couple of zones.