Re: Re: Firewall in an internet-caffe
Replying in detail to only one part of your long response. First, though,
you asked about the meanings of "routing" and "interface". In this context ...
routing is what a router does. Specifically, a router connects
two or more networks and forwards traffic among them,
operating at the network layer (IP addresses).
interface is a physical device that connects a host to a
network. It also refers to the logical device that
a kernel uses to communicate with the physical
device. Here, eth0 and eth1 are examples of (logical)
At 11:17 PM 5/27/01 +0200, IronHand wrote:
>OK. I'll try to explain it as clean as I can. :-)
>Now it's like this:
> C C C
> | | / C - computer with windows
>+--------+ /---\-C S1 - mandrake with www/dns/ftp/mail
>|Provider|-----------|HUB|-C S2 - mandrake with shell accounts
>+--------+ /\ \---/-S1
> (Cable to hub) \S2
>Provider provides me IP's a.b.c.1 up to a.b.c.32 through Cable. Hub
>broadcasts request for a.b.c.X and X (some mendrake or windows) replays
>to the request saying "I'm a.b.c.X!". So it gets connection with
This is a good start, but it omits some details that matter.
1. What is the actual device that you have labeled above as "Provider"?
2. Is the cable between "Provider" and "HUB" a standard Ethernet cable? If
not, what is it (and, anticipating a bit, how do you intend to connect it to
the Linux firewall)?
3. What is the IP address of the device labeled "Provider"? If you think you
do not know the answer to this, then see what the default gateway address is
on any of the clients that use this setup to access the Internet. That
address will (almost surely) be the IP address of the "Provider" device.
Finally, I assume you mean a.b.c.1 to a.b.c.30. .31 is your broadcast
address, and .32 is the network address of the "next" network (a.b.c.32-63).
>There are 16 computers with windows (IP's .16-.32). Rest is
>used by S1 and S2, because AFAIR every ftp virtual host need's separate
>IP (there are 3 VirtualHosts now - one for caffe and two bought by some
>companies), because VH by host name is in drafts now and it's not the
>part of HTTP1.1 (so says ProFTPD FAQ).
>What I want to do:
> [S2] C C
> \ | /
>+--------+ ............ /---\-C
>|Provider|---------- : FIREWALL :----|HUB|-C
>+--------+ /\ :..........: \---/\
> (Cable to Firewall) C
>S2 - (www/mail/ftp services), on separate eth (lets say eth1)
>C - windows (hub connected to lets say eth0)
>Is this how I should do it? How to configure FIREWALL. Where should I
1. If eth0 conncts to the LAN and eth1 to the DMZ ... what connects the
firewall to the "Provider" device? I've assumed a third Ethernet interface,
but until you clarify this point (and provide other details about
"Provider", including the relationship between its IP address and the block
of 32 you have), everything that I or anyone else says here is a guess and
may be completely wrong. To get useful help, you simply have to clear up
2. Until you tell us how DNS is provided now, it is hard to say how you
should do it in this new configuration. You haven't indicate the domain that
is involved (I assume it is not the one you are e-mailing us from, since
that IP address ends in .77 and you says this one uses ".16-.32" (I assume
the .32 is a typo, since a normal 32-address range runs from 0-31 or 32-63,
not, say, 16-47). Based on what you have said, I would guess that you can
continue to use whatever DNS solution you use now.
3. Someone else will have to inaswer your implied question about ftp and
virtual hosts, as I am not familiar with that.
Once you have clarified these matters, it might be possible to to suggest
how to configure a suitable firewall. At this point, I can't even tell you
how to configure a Linux host as a router, let alone as a firewall, because
I do not understand enough about the "Provider" device.
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA firstname.lastname@example.org