Re: OT: Advice on network setup
You might also look at bridges.
Try this:
http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO
Fire-walling
There is a patch to the bridging code which allows you to use
IP chains on the interface inside a bridge. More info about this
you'll find at Section 7.2.
and there is probably more. Bridging is labelled "experimental"
in the 2.2 kernel (which I am using). Take a look at the 2.4 kernel.
Upon reflection, I think that a bridge/firewall made from a 2.4
kernel may be worth looking at. It would get around the problem
listed in my Caveats.
Doug.
On Mon, Feb 03, 2003 at 12:17:47AM -0400, Douglas Guptill wrote:
> On Mon, Feb 03, 2003 at 10:14:35AM +1100, Lucas Barbuto wrote:
>
> > > What will work? What configuration do I reccommend? That depends
> > > *very* much on what you want to achieve by installing a firewall.
> > > In particular, do you want/need to maintain the visibility of
> > > the co-located hosts with their public IPs?
> >
> > Yes, definitely. It needs to be transparent. It needs to count traffic
> > going in and out and I'd like to be able to block ports on a per host
> > basis.
> >
> > So now that you know, advice please!?! :)
>
> Here it comes. You need to subnet.
>
>
> network address: 203.35.176.224
> gateway: 203.35.176.225
> first usable: 203.35.176.226
> last usable: 203.35.176.238
> broadcast address: 203.35.176.239
> netmask: 255.255.255.240
>
> Notation: Five of the six lines above (all except "gateway")
> can be abbreviated like this: 203.35.176.224->239.
> I use that abbreviation below. The second number
> is the gateway and interface IP for the network
> in question.
>
> datacentre gateway
> | 203.35.176.225
> |
> | 203.35.176.224->227
> | 203.35.176.226
> -----------
> | | firewall
> -----------
> 203.35.176.228->231 | (|) 203.35.176.232->239
> 203.35.176.229 | (|) 203.35.176.233
> | (|)
> | (|)
> | (|)
> --------------
> | hub |
> --------------
> |
> |
> |
> -------------------------------
> | | | | | |
> .231 .235 .236 .237 .238 .239
>
>
> Caveats:
>
> 1. I'm not entirely sure how, or if, traffic for the 6 public IPs
> gets into the firewall. Does the datacentre gateway do arp at
> this point, and drop the traffic if it does not get a response?
> Can the firewall be coaxed into responding for them?
>
> This problem could turn everything above into complete nonsense.
>
> Can the datacentre gateway be told that its network is
> 203.35.176.224->227, which matches the other machine on that
> network - the firewall exterior, and that .226 is a gateway?
> This would solve the problem.
>
>
> Notes:
>
> 1. I show two interfaces on the internal side of the firewall.
> However Linux will let you make virtual interfaces,
> (say yes to aliasing support when you build your kernel)
> so you only need one real interface.
>
>
> Cheers,
> Doug.
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
---------1--------2--------3---------4---------5---------6---------7--
Douglas Guptill dguptill@thinweb.com
Quality Assurance Specialist,
ThinWEB Technologies Inc. http://www.thinweb.com
Reply to: