[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What should I use?


The physical part -- you can easily set up the 3 NIC environment pretty much
the way you want it, something like the following:

        eth0 -- the public side; the Cisco and all the "exposed"
                machines go here, connected directly (well, via
                the Cisco) to the Internet. The Linux router-firewall
                plays no role here.

        eth1 -- the firewalled LAN. The firewall HowTo is a good start
                here. Also look at Seattle Firewall (seawall.sourceforge.net)
                for ideas about the details. (My own experience is
                all with NAT'ing firewalls, not with real-address
                firewalls, so I don't want to lead you astray with
                too much misdfocused advice. But you *could* set this
                up as a NAT'd LAN, increasing its security an extra bit.

        eth2 -- the servers. Different details from the above, but
                nothing fundamentally different.

Your biggest problems will be not in the firewalling itself, but in defining
the appropriate subnetting and routing tables.

Subnetting -- subnets have to be sized as a power of 2, with 2 addreses used
up for the network itself (the network number and the broadcast address),
and with both boundaries on a power-of-two number (e.g., 0 to 31 is legal;
16 to 47 is not). So with 64 addresses, you could have 2* 32, 1*32 + 2*16,
4*16, or a variety of other mixes. One example is:

        00-31 -- the workstations on eth1
        32-47 -- the servers on eth2
        48-63 -- the exposed machines on the same subnet as
                the Cisco.

Routing -- I already mentioned the two choices here. The sensible one is to
tell the Cisco that the Linux router's IP address on its segment (48-63) is
its route to subnet 00-31 and subnet 32-47.

At 09:45 PM 8/23/00 +0200, andreas palsson wrote:
>First, thanks for taking time explaining things.
>As stated before I am no expert and I appreciate it alot. :)
>As mentioned in my previous mail, I was thinking of 'splitting' the
>.0-.63 network into several parts.
>First a part/zone where all the workstations are.
>No connections should be allowed INTO this zone, but all connections
>coming FROM the workstations should be allowed.
>I think that gives protection to the workers, but still offers enough
>freedom to "get out".
>The second part should be our servers, like mail and web.
>I don't want anyone to be able to connect to any other ports than those
>I specify, like SMTP/SSH/HTTP/HTTPS.
>And at last a third part where everything is free. Machines in this zone
>has no protection/limitiation from the firewall.
>This zone also has the Cisco-router which leads to the Internet. (This
>router handles our net, .0-.63, today.)
[old stuff deleted]

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        

Reply to: