[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Public IP's?

On Thu, 11 Apr 2002, Mike Egglestone wrote:

> Thanks for the tips!
> So just to understand:
> Say the Cisco router is
> x.x.x.254
> I would set eth0 on the debian box to
> x.x.x.253 (same side as Cisco)
> and set eth1 on the debian box to
> x.x.x.252 (local side)
> Then set everything behind the debian box to
> x.x.x.251 or lower?
> I would set the gateway for everything behind the debian
> box to
> x.x.x.252 ?
> I would set IP forwarding via /etc/network/options
> Then use iptables (woody with kernel 2.4) to set the filters etc.
> This sound ok?

This is by and large what has been working fine here at my institute for
more than two years.

> I'm not too familiar with proxy-arp, so this isn't essential?
> Would proxy-arp be like intercepting workstation packets desinted
> to the cisco gateway to go thru the debian box instead?

Yes. Proxy-arp comes in handy if you just want to touch absolutely nothing
on the clients and transparently plug the firewall between them and the

Another solution for even more complete transparency is to use a
firewalling bridge, see http://bridge.sourceforge.net for more resources
on that. The latter solution is probably the best, as it even allows to
set up two identical machines side by side, and they will automagically
agree that one actually does bridging while the other sits in standby,
ready to take over with virtually no downtime should the first one fail
(hardware problems hurt...). But this extra flexibility comes at a cost:
you have to patch the kernel, learn to use some more user space tools to
handle the bridging part, probably use both iptables and ebtables (you
find patches and user space tools at the URL above), the former to handle
IP, the latter to handle firewalling of network protocols other than IP.

The (simpler) working solution I have here is just based on

> I would probably have a dhcp server setup to assign the
> workstaions their IP's and set their gateway to that of
> the Debian's eth1. (x.x.x.252)

which means that you can easily handle the configuration of the clients
and don't need proxy-arp.

Have fun


Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: