RE: Firewallsetup

To: cas@taz.net.au, debian-user@lists.debian.org
Subject: RE: Firewallsetup
From: johannes.tyve@phosworks.se
Date: Wed, 8 Jul 1998 16:51:03 +0200
Message-id: <[🔎] B3D73418C1E9D11183C20060084F6271D781@ntfileserver2.phosworks.se>

> > My goal is to setup a firewall to protect my subnet like this:
> > 
> > Internet
> >     |
> > Cisco router 	(192.12.120.254)
> >     |
> > Local net 192.12.120.0 netmask 255.255.255.0
> >     |
> > FIREWALL eth0 = 192.12.120.190, eth1 = 192.12.120.202
> >     |
> > Protected subnet 192.12.120.200 netmask 255.255.255.252
> > 
> > This worked fine when I used masqurading and a fake net 
> (192.168.2.0)
> > but not when I try to use real IP addresses and a subnet. 
> This is the
> > firewall setup:
> > 
> > (outside)
> > eth0:
> > IP = 192.12.120.190
> > Netmask = 255.255.255.0
> > Network = 192.12.120.0
> > Broadcast = 192.12.120.255
> > Gateway = 192.12.120.254
> > 
> > (inside)
> > eth1:
> > IP = 192.12.120.202
> > Netmask = 255.255.255.252
> > Network = 192.12.120.200
> > Broadcast = 192.12.120.203
> > Gateway = 192.12.120.190
> 
> you've got mismatched netmasks on the internal subnet and the external
> subnet. they won't be able to communicate with each other through the
> firewall/gateway box because all the machines on eth0 think that they
> have a full /24 (class C), and that 
> 192.12.120.202/255.255.255.252 is on
> the local eth0 ethernet, not routed through the fw box.
> 
> i'm not sure if i'm explaining this very clearly.
> 
> from the nature of the mistake you've made, i think you need to read
> up on tcp/ip and on building firewalls before building one. subnetting
> isn't that difficult but it's easy to make mistakes if you don't
> understand how it works.
> 
> unless you've got a good reason not to, stick with using private
> addresses (192.168.2.0) for your internal network....that 
> makes building
> the firewall purely a routing and ipfw problem, and avoids 
> the hassle of
> calculating netmasks. 
> 
> if necessary (e.g. for accounting purposes), you can even 
> route between
> your external net and your internal 192.168.2.0 net....but then your
> internal network can be reached if hosts on your external net are
> compromised. security policies are always a tradeoff between 
> convenience
> vs. security.
> 
Thanx Craig.

I do need (I think) to use real IP addresses because I need to have
multiple web-servers (accessible from the Internet) inside the firewall
that should be protected. I thought it was possible to tell my fw box to
route all trafic between the two subnets. Is it possible to route eg
192.12.12.202 to a host on the private network eg 192.168.2.202? 

Other solutions how to protect just a part of my C-net?

Best regard
Johannes.


--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

Follow-Ups:
- RE: Firewallsetup
  - From: Craig Sanders <cas@taz.net.au>
- RE: Firewallsetup
  - From: Craig Sanders <cas@taz.net.au>

Prev by Date: diskcrash -> /var gone, was: Re: Plattencrash -> /var weg?
Next by Date: Re: diskcrash -> /var gone, was: Re: Plattencrash -> /var weg?
Previous by thread: Re: Firewallsetup
Next by thread: RE: Firewallsetup
Index(es):
- Date
- Thread