Again, Firewall Public IP's?
Hi debian-firewall,
I just followed the thread about firewalling public IPs, and I have a
similar Problem. I hope you won't have to repeat your answers all over
but unfortunately I did not understand enough.
Right now, our site looks like this:
we have a class C network, with network address, say x.x.x.0
[server x.x.x.5 ]---+
| 0 1
[box x.x.x.23]---+----[Router]----[Internet
|
[box x.x.x.45]---+
Assume the address on interface 0 of the router is x.x.x.2.
Now I want to use a Debian-box as firewall, like this:
[server x.x.x.1 ]---+
| 0 1 0 1
[host x.x.x.23]---+----[Debian-box]----[Router]----[Internet
|
[host x.x.x.45]---+
This setup should go with minimal changes for the internal hosts, no
NAT, preferable no gateway address change. And I don't like the idea of
touching the router, if possible.
My idea would be to setup the Debian-box as bridge, using the IP
x.x.x.2 on interface 0 and some other IP (like x.x.x.250) on interface
1, while the Router still uses x.x.x.2 as his internal address.
This way the internal hosts need no reconfiguration because the gateway
has still the same address, I can't see any problems on this side.
However, will the router be able to deliver connections to internal
hosts (assuming the firewall would accept them)?
Can I use the same IP address for the internal interfaces of both the
bridge and the router? I would have to reconfigure all internal hosts
or the router if not (sucks).
Another way would be to turn the firewall into a router and use private
IPs for the network between Firewall and router. So interface 1 of the
firewall gets 10.0.0.1 and the routers interface 10.0.0.2.
This is not prefered since I don't like messing with that router.
Can someone comment on all this, will it work?
What are common pitfalls with such a setup? I have no practical
experience with firewalls, but some knowledge of how IP works.
I think the term bridge means an IP-bridge here, which means that the
router will get all ethernet-packets from the same MAC source address
(the bridge's interface 1). So that the router sends answers back there
rather than using the MAC address of the real source host as
destination, correct?
All answers are welcome, thank you
Stephan Balmer
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: