[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Again, Firewall Public IP's?

Hi debian-firewall,

I just followed the thread about firewalling public IPs, and I have a 
similar Problem. I hope you won't have to repeat your answers all over 
but unfortunately I did not understand enough.

Right now, our site looks like this:

we have a class C network, with network address, say x.x.x.0

[server x.x.x.5 ]---+
                    |    0      1
[box    x.x.x.23]---+----[Router]----[Internet
[box    x.x.x.45]---+

Assume the address on interface 0 of the router is x.x.x.2.

Now I want to use a Debian-box as firewall, like this:

[server x.x.x.1 ]---+
                    |    0          1    0      1
[host   x.x.x.23]---+----[Debian-box]----[Router]----[Internet
[host   x.x.x.45]---+

This setup should go with minimal changes for the internal hosts, no 
NAT, preferable no gateway address change. And I don't like the idea of 
touching the router, if possible.
My idea would be to setup the Debian-box as bridge, using the IP 
x.x.x.2 on interface 0 and some other IP (like x.x.x.250) on interface 
1, while the Router still uses x.x.x.2 as his internal address.
This way the internal hosts need no reconfiguration because the gateway 
has still the same address, I can't see any problems on this side.
However, will the router be able to deliver connections to internal 
hosts (assuming the firewall would accept them)?
Can I use the same IP address for the internal interfaces of both the 
bridge and the router? I would have to reconfigure all internal hosts 
or the router if not (sucks).

Another way would be to turn the firewall into a router and use private 
IPs for the network between Firewall and router. So interface 1 of the 
firewall gets and the routers interface
This is not prefered since I don't like messing with that router.

Can someone comment on all this, will it work?
What are common pitfalls with such a setup? I have no practical 
experience with firewalls, but some knowledge of how IP works.

I think the term bridge means an IP-bridge here, which means that the 
router will get all ethernet-packets from the same MAC source address 
(the bridge's interface 1). So that the router sends answers back there 
rather than using the MAC address of the real source host as 
destination, correct?

All answers are welcome, thank you
Stephan Balmer

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: