[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall

Derek Wueppelmann wrote:
> >> eth0 xx.xx.xx.1 :Connected to the internal network
> >> eth1 xx.xx.xx.2 :Connected to the internet.
> >> # note that the xxx.xxx.xxx are the same subnet since
> >> we are allocated a class C domain.

Minor correction:  to the Internet these addresses are
in the same _network_, not _subnet_, if you have a class C.

> >> my routing table looks similar to this: [abbreviations made]
> >> xx.xx.xx.254     eth1
> >> xx.xx.xx.0       eth0
> >>        xx.xx.xx.254             eth1
> >> ...

> > What you need is subnetting your class C network in several smaller
> > subnets.  The first one would be x.x.x.0/ (or 248
> > if you want severaladdresses outside your firewall, for an i.e.
> > Intrusion detection system)  The other ones would fit your needs.
> >
> >The firewall would then have a NIC (eth0) in the first subnet
> > (x.x.x.0/30(or/29)), and the second one (eth1) would be in any other.
> >--
> Well I tried all of that and it didn't seem to help me out.
> I am stuck using the gateway to the internet as xxx.xxx.xxx.254
> and I can't change this. I have only been trying to get out right
> now, which shouldn't involve our ISP doing any routing work.
> I subneted our class C network using a netmask of
> and put the gateway address as xxx.xxx.xxx.1 and the machine inside
> the firewall as xxx.xxx.xxx.2, the firewall machine can still see
> the outside and inside world and the inside machine can still 
> see both IP addresses of the firewall machine. Any other thoughts?

You missed his point of having the NIC on the "inside" in
a different subnet than that of the NIC on the "outside".

But let me ask first:  isn't the IP on the ISP's side one
out of the ISP's net?  Or are you allocating one of your
IP to your ISP's router?

It should be one or the other, to wit:  URC=YOURCLASSC


With the former, you don't need any subnetting, really, and
is preferable.  With the later, you may need to subnet ...252
with the far end as one of those, and the near end as the other.
The other NIC would be _not_ in that subnet.

The /etc/defaultrouter, or equiv, on the hosts in urnet=URC.n3.

On your router/firewall, 
default dest ( gateway is the IP on the ISPs router.

With you giving the IP to the ISP,
dest xx.xx.xx.0 netmask ...252 gateway xx.xx.xx.yourend

If you're subnetting ...252, _don't_ put two addresses in
_that_ subnet on two of the NICs in your router/firewall.

Reply to: