Re: How to route

To: debian-security@lists.debian.org
Cc: Marco Tassinari <iw3hja@dei.unipd.it>
Subject: Re: How to route
From: Davy Gigan <davy@info.unicaen.fr>
Date: Mon, 25 Jun 2001 16:31:11 +0200
Message-id: <[🔎] 15159.19247.190429.707469@info.unicaen.fr>
In-reply-to: <[🔎] Pine.LNX.4.33.0106251517280.23958-100000@ulla>
References: <20010625130730.1850.qmail@murphy.debian.org> <[🔎] Pine.LNX.4.33.0106251517280.23958-100000@ulla>

Marco Tassinari writes:
 > 
 > 
 > Hallo,
 >  I wonder what is the best solution for security in this ascii-art
 > network:
 > 
 > 
 >            [router]
 >               |
 >            [let's call it firewall even if it's not one for the moment]
 >               |
 >               +--------------|-------------|----....----|
 >               |              |             |            |
 >            [server]         [PC]          [PC]         [PC]
 > 
 > 
 >  The toplogy is untouchable: this is a marketing request.
 >   In the empty space I put my firewall: a filter and proxy (squid)
 >   server, debian potato with kernel 2.2.19, ipchains made.
 >   It seems a good solution to me.
Hum, it seems to be good, but you should take great care this machine
would become your main headache for security purposes. Evidence is
all your connected pc are in local subnets and router is configured
to drop any local subnet paquets attempting to go out.

 >   The trouble is a preimposted NAT table in the router: the unique
 >   external IP is remapped to the internal address of the server.
Maybe you could give server's address to firewall ;-) Then you don't
have to touch router's configuration.

 >   I don't know how to say the router 'route add default gw firewall'...
You should never do that since i suppose router is your external access, default
route must be another router ... But you can tell router to redirect all stuff
for server to firewall.

 >   and my manager said: <<router is preferibly not to modify>>.
He could just change router's configuration to whatever you choose for firewall address
and remap all public traffic (filtering all you dont need) to your firewall. Then configuring
your firewall would act as you configuring the router directly, except there is another
gate beetween you and the wild wild internet. It's a good thing. Anyway, for more
security, you should try to configure your router to drop all incomming connection
on critical services running on firewall 

 > 
 >   So i thougth:
 > 
 >   First solution: to make the firewall be a bridge for incoming
 >                   connections to the server, and normal filter+proxy for
 >                   outgoing ones. It seems not so good to me.
 > 
 >   Or: to make the firewall use a 2.4.5 kernel, and use NAT iptable to
 >       redirect in some way the router --> server connection. I think (but
 >       I'm not sure) it should work. It costs a lot to me in upgrading to
 >       iptables.
They're not so different and some existing tools do convert your old rules to
the new iptables ones. You can also keep ipchains compatibility within your
2.4 kernel (i've never tested it, but i undestood was possible)

Last thing, your two solutions are nearly the same solution, making your
firewall a bridge for server's connections reflects it acts as a nat for
servers address, you can do it with ipchains / iptables.

see nat and port forwarding howtos for a complete explaination ...
 > 
 > 
 >  What do you suggest?
As a conclusion, you'll ask your manager to modify router's configuration
anyway.

 > Thanks!, Marco

Regards.

-- 
Davy Gigan
System & Network Administration
University Of Caen (France)

Reply to:

Follow-Ups:
- Re: How to route
  - From: Jeff Coppock <jcoppock1@home.com>
- Re: How to route
  - From: Marco Tassinari <iw3hja@dei.unipd.it>

References:
- How to route
  - From: Marco Tassinari <iw3hja@dei.unipd.it>

Prev by Date: How to route
Next by Date: Re: How to route
Previous by thread: How to route
Next by thread: Re: How to route
Index(es):
- Date
- Thread