[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Public IP's?



On Thu, 11 Apr 2002, Mike Egglestone wrote:
> My boss has asked me about possibly firewalling the local area
> network. Normally, I would say "Sure" and assign private IP's, masq
> the whole thing, add some filters and boom, its done.
> 
> But for some reason, boss wants to keep the public IP's 
> assigned to all the workstations.

I can understand that; there are a number of services that work poorly,
if at all, with private address ranges. It also reduces the reliability
of the network to the reliability of a single machine...

[...]

> As of now, the only firwalling that is taking place is at the
> Router/Gateway that is owned by the ISP. A few acl's are in place.

You can't manage that?

> Is it possible to add a Debian box in here somewhere, to be the
> Firewall and still protect those public IP's?

Yes. It's easy, since you already know how to configure a firewall with
masquerading. The trick, of course, is to put a single firewall machine
in the same place on the network you would use the masq machine, then
firewall the real addresses.

Basically, have two network cards in the firewall. Plug one into the
network that has the upstream connection. Plug the other into the
network with your C-class.

Turn on IP forwarding on the machine; edit /etc/network/options

Write the firewall rules. Use the real client addresses, not the single
masq address, when you do.

        Daniel

-- 
Across clinical benches with nothing to talk
Breathing tea and biscuits and the Serenity Prayer
While the bones of our child crumble like chalk
O where do we go now but nowhere
        -- Nick Cave, _Where Do We Go Now But Nowhere?_


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: