Re: How to route
See inline...jc
Thusly Thwacked By Davy Gigan:
> Marco Tassinari writes:
> >
> >
> > Hallo,
> > I wonder what is the best solution for security in this ascii-art
> > network:
> >
> >
> > [router]
> > |
> > [let's call it firewall even if it's not one for the moment]
> > |
> > +--------------|-------------|----....----|
> > | | | |
> > [server] [PC] [PC] [PC]
> >
> >
> > The toplogy is untouchable: this is a marketing request.
> > In the empty space I put my firewall: a filter and proxy (squid)
> > server, debian potato with kernel 2.2.19, ipchains made.
> > It seems a good solution to me.
> Hum, it seems to be good, but you should take great care this machine
> would become your main headache for security purposes. Evidence is
> all your connected pc are in local subnets and router is configured
> to drop any local subnet paquets attempting to go out.
>
> > The trouble is a preimposted NAT table in the router: the unique
> > external IP is remapped to the internal address of the server.
> Maybe you could give server's address to firewall ;-) Then you don't
> have to touch router's configuration.
I second this suggestion. If your firewall is the address of
your server, you could set it to only pass connections to the
server that have destination=firewall and specified ports for
the allowed services. I assume the route is doing a direct
mapping 1:1 NAT, no port address transation for the server and
dynamic M:1 or M:N NAT for the PC population.
>
> > I don't know how to say the router 'route add default gw firewall'...
> You should never do that since i suppose router is your external access, default
> route must be another router ... But you can tell router to redirect all stuff
> for server to firewall.
Agreed.
>
> > and my manager said: <<router is preferibly not to modify>>.
> He could just change router's configuration to whatever you choose for firewall address
> and remap all public traffic (filtering all you dont need) to your firewall. Then configuring
> your firewall would act as you configuring the router directly, except there is another
> gate beetween you and the wild wild internet. It's a good thing. Anyway, for more
> security, you should try to configure your router to drop all incomming connection
> on critical services running on firewall
Your manager is a 'tard if he/she doesn't think the router is part
of the security solution. Sounds like he/she needs some educating
by you.
>
> >
> > So i thougth:
> >
> > First solution: to make the firewall be a bridge for incoming
> > connections to the server, and normal filter+proxy for
> > outgoing ones. It seems not so good to me.
> >
> > Or: to make the firewall use a 2.4.5 kernel, and use NAT iptable to
> > redirect in some way the router --> server connection. I think (but
> > I'm not sure) it should work. It costs a lot to me in upgrading to
> > iptables.
> They're not so different and some existing tools do convert your old rules to
> the new iptables ones. You can also keep ipchains compatibility within your
> 2.4 kernel (i've never tested it, but i undestood was possible)
>
> Last thing, your two solutions are nearly the same solution, making your
> firewall a bridge for server's connections reflects it acts as a nat for
> servers address, you can do it with ipchains / iptables.
>
> see nat and port forwarding howtos for a complete explaination ...
> >
> >
> > What do you suggest?
> As a conclusion, you'll ask your manager to modify router's configuration
> anyway.
>
> > Thanks!, Marco
>
> Regards.
>
> --
> Davy Gigan
> System & Network Administration
> University Of Caen (France)
Reply to: