Re: OT: Advice on network setup

To: Lucas Barbuto <lucas@qk.com.au>
Cc: Debian Firewall Mailing List <debian-firewall@lists.debian.org>
Subject: Re: OT: Advice on network setup
From: Douglas Guptill <dguptill@accesswave.ca>
Date: Mon, 3 Feb 2003 00:17:47 -0400
Message-id: <20030203001747.A23474@u181n87.hfx.eastlink.ca>
Reply-to: dguptill@thinweb.com
In-reply-to: <20030202231435.GB16462@qk.com.au>; from lucas@qk.com.au on Mon, Feb 03, 2003 at 10:14:35AM +1100
References: <20030130231329.GA5432@qk.com.au> <20030131131755.A11305@u181n87.hfx.eastlink.ca> <20030202231435.GB16462@qk.com.au>

On Mon, Feb 03, 2003 at 10:14:35AM +1100, Lucas Barbuto wrote:

> > What will work?  What configuration do I reccommend?  That depends 
> > *very* much on what you want to achieve by installing a firewall.
> > In particular, do you want/need to maintain the visibility of
> > the co-located hosts with their public IPs?
> 
> Yes, definitely.  It needs to be transparent.  It needs to count traffic
> going in and out and I'd like to be able to block ports on a per host
> basis.
> 
> So now that you know, advice please!?!  :)

Here it comes.   You need to subnet.


network address:        203.35.176.224
gateway:                203.35.176.225
first usable:           203.35.176.226
last usable:            203.35.176.238
broadcast address:      203.35.176.239
netmask:                255.255.255.240

Notation:  Five of the six lines above (all except "gateway") 
           can be abbreviated like this: 203.35.176.224->239.  
           I use that abbreviation below.  The second number
           is the gateway and interface IP for the network
           in question.

                       datacentre gateway
                                |    203.35.176.225
                                |
                                |    203.35.176.224->227
                                |    203.35.176.226
                           -----------
                           |         | firewall
                           -----------
        203.35.176.228->231   |  (|)  203.35.176.232->239
        203.35.176.229        |  (|)  203.35.176.233
                              |  (|)
                              |  (|)
                              |  (|)
                          --------------
                          |    hub     | 
                          --------------
                                |
                                |
                                |
                  -------------------------------
                  |     |     |     |     |     |
                .231  .235  .236  .237  .238  .239


Caveats:

1. I'm not entirely sure how, or if, traffic for the 6 public IPs
   gets into the firewall.  Does the datacentre gateway do arp at
   this point, and drop the traffic if it does not get a response?
   Can the firewall be coaxed into responding for them?

   This problem could turn everything above into complete nonsense.

   Can the datacentre gateway be told that its network is
   203.35.176.224->227, which matches the other machine on that
   network - the firewall exterior, and that .226 is a gateway?
   This would solve the problem.


Notes:

1. I show two interfaces on the internal side of the firewall.
   However Linux will let you make virtual interfaces, 
   (say yes to aliasing support when you build your kernel)
   so you only need one real interface.


Cheers,
Doug.

Reply to:

Follow-Ups:
- Re: OT: Advice on network setup
  - From: Douglas Guptill <dguptill@accesswave.ca>

References:
- Re: OT: Advice on network setup
  - From: Lucas Barbuto <lucas@qk.com.au>

Prev by Date: Re: OT: Advice on network setup
Next by Date: Re: OT: Advice on network setup
Previous by thread: Re: OT: Advice on network setup
Next by thread: Re: OT: Advice on network setup
Index(es):
- Date
- Thread