RE: Firewallsetup
On Wed, 8 Jul 1998 johannes.tyve@phosworks.se wrote:
> > > (outside) eth0: IP = 192.12.120.190 Netmask = 255.255.255.0
> > > Network = 192.12.120.0 Broadcast = 192.12.120.255 Gateway =
> > > 192.12.120.254
> > >
> > > (inside) eth1: IP = 192.12.120.202 Netmask = 255.255.255.252
> > > Network = 192.12.120.200 Broadcast = 192.12.120.203 Gateway =
> > > 192.12.120.190
> >
> > you've got mismatched netmasks on the internal subnet and the
> > external subnet. they won't be able to communicate with each
> > other through the firewall/gateway box because all the machines
> > on eth0 think that they have a full /24 (class C), and that
> > 192.12.120.202/255.255.255.252 is on the local eth0 ethernet, not
> > routed through the fw box.
>
> Thanx Craig.
>
> I do need (I think) to use real IP addresses because I need to have
> multiple web-servers (accessible from the Internet) inside the
> firewall that should be protected. I thought it was possible to
> tell my fw box to route all trafic between the two subnets. Is it
> possible to route eg 192.12.12.202 to a host on the private network eg
> 192.168.2.202?
you must have misunderstood what i said (not surprising, because i didn't
explain it very well)
you *can* use 192.12.20 addresses on both sides of the firewall (i.e.
internal and external), as long as they are subnetted properly. this
generally means splitting the net into two or more equally sized
subnets.
for example...
two subnets: .0-127 and .128-255, or
four subnets: .0-63, .64-127, .128-195, and .196-255, or
eight subnets: .0-31, .32-63, .64-96, ..., and .224-255
note it is possible to run more than one subnet on a single ethernet
segment. for example, you could run .0-63, .64-.127, .128-.195 on eth0
and .196-.255 on eth1, as long as you always remember that eth0 actually
had three subnets on it and not just one network. the three eth0 subnets
would only be able to communicate with each via a router (i.e. your
firewall box)...they are completely separate networks even if they
happen to be on the same cable segment!
what you can't do is just take a chunk out of the middle of a net, stick
it on the other side of a firewall and expect that it will work.
(actually, if you're careful and know what you are doing you might be
able to fake it by publishing arp entries for each of the hosts that
'belong' on eth0 but are actually physically located on eth1. possible,
but tricky and complicated and easy to mess up. this is the sort of
thing that evolves - "mutates" is more accurate - into an undocumented
nightmare)
> Other solutions how to protect just a part of my C-net?
one idea that occurs to me is that you could connect your firewall box
directly to the cisco router (use a cross-over 10baseT cable or coax),
and use 192.168.x address for that network segment. all of your hosts
could then be on 192.12.120.0/24. use ipfwadm firewall rules to protect
specific hosts....or protect them all (default policy deny) and use
allow rules to unprotect certain hosts/ports.
something like this:
192.168.1.0
+----------+
| |
| |eth0
+-----+ +-----+
inet <----> :cisco: :linux:
+-----+ +-----+
|eth1
|
+--------------------------------------.....
192.12.120.0/24 segment (your hosts)
it would simplify things if your ISP could allocate you an IP address
for the cisco's internet (isdn??) interface. your ISP would route
your /24 net to your cisco, and your cisco would know to route it to
the linux box. the linux box would apply firewall rules to filter out
undesirable connections.
it would simplify things even further if you could replace the cisco
with an ISDN card for your linux box. that's assuming your internet
connection is ISDN, of course. if it's some other connection type it may
be worth your while finding out whether linux supports it.
craig
--
craig sanders
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: