Re: Firewallsetup

To: johannes.tyve@phosworks.se
Cc: debian-user@lists.debian.org
Subject: Re: Firewallsetup
From: Craig Sanders <cas@taz.net.au>
Date: Wed, 8 Jul 1998 21:22:49 +0959 (EST)
Message-id: <[🔎] Pine.LNX.3.96.980708211258.27513T-100000@siva.taz.net.au>
In-reply-to: <[🔎] B3D73418C1E9D11183C20060084F6271D77B@ntfileserver2.phosworks.se>

On Wed, 8 Jul 1998 johannes.tyve@phosworks.se wrote:

> My goal is to setup a firewall to protect my subnet like this:
> 
> Internet
>     |
> Cisco router 	(192.12.120.254)
>     |
> Local net 192.12.120.0 netmask 255.255.255.0
>     |
> FIREWALL eth0 = 192.12.120.190, eth1 = 192.12.120.202
>     |
> Protected subnet 192.12.120.200 netmask 255.255.255.252
> 
> This worked fine when I used masqurading and a fake net (192.168.2.0)
> but not when I try to use real IP addresses and a subnet. This is the
> firewall setup:
> 
> (outside)
> eth0:
> IP = 192.12.120.190
> Netmask = 255.255.255.0
> Network = 192.12.120.0
> Broadcast = 192.12.120.255
> Gateway = 192.12.120.254
> 
> (inside)
> IP = 192.12.120.202
> Netmask = 255.255.255.252
> Network = 192.12.120.200
> Broadcast = 192.12.120.203
> Gateway = 192.12.120.190

you've got mismatched netmasks on the internal subnet and the external
subnet. they won't be able to communicate with each other through the
firewall/gateway box because all the machines on eth0 think that they
have a full /24 (class C), and that 192.12.120.202/255.255.255.252 is on
the local eth0 ethernet, not routed through the fw box.

i'm not sure if i'm explaining this very clearly.

from the nature of the mistake you've made, i think you need to read
up on tcp/ip and on building firewalls before building one. subnetting
isn't that difficult but it's easy to make mistakes if you don't
understand how it works.

unless you've got a good reason not to, stick with using private
addresses (192.168.2.0) for your internal network....that makes building
the firewall purely a routing and ipfw problem, and avoids the hassle of
calculating netmasks. 

if necessary (e.g. for accounting purposes), you can even route between
your external net and your internal 192.168.2.0 net....but then your
internal network can be reached if hosts on your external net are
compromised. security policies are always a tradeoff between convenience
vs. security.

> I have tried to turn on arp and promiscus mode but that doesn´t help.
> I'm able to ping both the Internet, localnet, and subnet from the
> firewall. I'm able to ping the firewall (both addresses) from a host
> on the subnet. Using tcpdump I see that when I ping a host from the
> subnet to the local net then traffic I forwarded out but not back
> to the host on the local net. My ipfw config is set to accept all
> traffic.

yes, that sounds consistent with messing up the subnetting. it's not
an ipfwadm or a routing problem, you have subnetted your IP space
incorrectly.

craig

--
craig sanders

--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

References:
- Firewallsetup
  - From: johannes.tyve@phosworks.se

Prev by Date: Re: Fw: Problem setting interrupt and address on network adaptor for NC2501-3 Accton Lanstation
Next by Date: HELP: Setting up TeTeX
Previous by thread: Firewallsetup
Next by thread: RE: Firewallsetup
Index(es):
- Date
- Thread