Re: Firewall

To: Derek Wueppelmann <dwueppel@libraxus.com>
Cc: marcus@kbinirsnb.be, debian-user <debian-user@lists.debian.org>
Subject: Re: Firewall
From: Bolan Meek <Bolan.Meek@wcom.com>
Date: Wed, 28 Jun 2000 15:36:19 -0500
Message-id: <[🔎] 395A61C3.6FA3B902@wcom.com>
Reply-to: Bolan.Meek@wcom.com, bolan@koyote.com
References: <[🔎] 004301bfe10d$5fd39730$726bc3d1@libraxus.com> <[🔎] 00062816553403.04703@px20_115> <[🔎] 001d01bfe127$124b1d70$726bc3d1@libraxus.com>

Derek Wueppelmann wrote:
> 
> >> eth0 xx.xx.xx.1 :Connected to the internal network
> >> eth1 xx.xx.xx.2 :Connected to the internet.
> >> # note that the xxx.xxx.xxx are the same subnet since
> >> we are allocated a class C domain.

Minor correction:  to the Internet these addresses are
in the same _network_, not _subnet_, if you have a class C.

> >> my routing table looks similar to this: [abbreviations made]
> >> DESTINATION    GATEWAY      GENMASK        ... IFACE
> >> xx.xx.xx.254   0.0.0.0      255.255.255.255     eth1
> >> xx.xx.xx.0     0.0.0.0      255.255.255.0       eth0
> >> 0.0.0.0        xx.xx.xx.254 0.0.0.0             eth1
> >> ...

> > What you need is subnetting your class C network in several smaller
> > subnets.  The first one would be x.x.x.0/255.255.255.252 (or 248
> > if you want severaladdresses outside your firewall, for an i.e.
> > Intrusion detection system)  The other ones would fit your needs.
> >
> >The firewall would then have a NIC (eth0) in the first subnet
> > (x.x.x.0/30(or/29)), and the second one (eth1) would be in any other.
> >--
> 
> Well I tried all of that and it didn't seem to help me out.
> I am stuck using the gateway to the internet as xxx.xxx.xxx.254
> and I can't change this. I have only been trying to get out right
> now, which shouldn't involve our ISP doing any routing work.
> I subneted our class C network using a netmask of 255.255.255.252
> and put the gateway address as xxx.xxx.xxx.1 and the machine inside
> the firewall as xxx.xxx.xxx.2, the firewall machine can still see
> the outside and inside world and the inside machine can still 
> see both IP addresses of the firewall machine. Any other thoughts?

You missed his point of having the NIC on the "inside" in
a different subnet than that of the NIC on the "outside".

But let me ask first:  isn't the IP on the ISP's side one
out of the ISP's net?  Or are you allocating one of your
IP to your ISP's router?

It should be one or the other, to wit:  URC=YOURCLASSC

inet===ISP.n1/router/ISP.n2===ISP.n2|n3/yours/URC.x===urnet
or
inet===ISP.x/router/YOURCLASSC.n1===URC.n1|n2/yours/URC.n3===urnet

With the former, you don't need any subnetting, really, and
is preferable.  With the later, you may need to subnet ...252
with the far end as one of those, and the near end as the other.
The other NIC would be _not_ in that subnet.

The /etc/defaultrouter, or equiv, on the hosts in urnet=URC.n3.

On your router/firewall, 
default dest (0.0.0.0) gateway is the IP on the ISPs router.

With you giving the IP to the ISP,
dest xx.xx.xx.0 netmask ...252 gateway xx.xx.xx.yourend

If you're subnetting ...252, _don't_ put two addresses in
_that_ subnet on two of the NICs in your router/firewall.

Reply to:

References:
- Firewall
  - From: "Derek Wueppelmann" <dwueppel@libraxus.com>
- Re: Firewall
  - From: Marc Dubrowski <marcus@kbinirsnb.be>
- Re: Firewall
  - From: "Derek Wueppelmann" <dwueppel@libraxus.com>

Prev by Date: Re: dictd cannot access localhost
Next by Date: Re: Viper V550
Previous by thread: Re: Firewall
Next by thread: Subnetting & Netmasking (was Re: Firewall)
Index(es):
- Date
- Thread