Re: Firewall
If it can help, here is the scheme of our network. There are of course three
NICS on the packet filter.
Network 193.x.x.0/30
(= 193.x.x.0/24 for the internet, static routing table setup by
our ISP: the rest of the world knows that the trafic must pass through x.x.x.2
to reach our network)
gateway ----x.x.x.1 (don't know the other IP of the
| router )
+---------------------------------+
| x.x.x.2 |
Packet filter---|=================================|
| x.x.x.9 | x.x.x.33 |
| (Gateway) | (Gateway) |
+---------------------------------+
/ |
/ |
/ |
/ |
Subnet 1:x.x.x.8/29 / | Subnet 2:x.x.x.32/27
/ |
+-----------------------------+ |
| Bastion Host: | |
| x.x.x.10(BH out) | | +-------------------+
| x.x.x.11(BH in) | |--| Server1 (x.x.x.34)|
+-----------------------------+ | +-------------------+
|
|
| +-------------------+
|--| server2 (x.x.x.43)|
| +-------------------+
|
| +-------------------+
|--| server3 (x.x.x.44)|
| +-------------------+
|
|
|
+-----------------------------------------+
| x.x.x.42 (gateway to private net) |
|=========================================|
| 192.168.x.1 (Private Gateways) |
| 172.16.x.1 (Private Gateways) |
+-----------------------------------------+
Of course, every machine in subnet x.x.x.0/30 has a netmask of 255.255.255.252;
every machine in subnet x.x.x.8/29 has a netmask of 255.255.255.248;
every machine in subnet x.x.x.32/27 has a netmask of 255.255.255.224.
There are no possible contacts through hubs or cables except the packet-filter.
The packet filter is configured to route the IP packets (of course :-)
The routing table of the packet filter is (it's OpenBSD, but the principle is
the same)
Destination Gateway Flags Refs Use Mtu Interface
default x.x.x.1 UGS 0 9300794 1500 de0
127/8 127.0.0.1 UGRS 0 0 32972 lo0
127.0.0.1 127.0.0.1 UH 2 97 32972 lo0
172.16/16 x.x.x.51 UGS 0 80 1500 de2
192.168/16 x.x.x.51 UGS 0 124529 1500 de2
x.x.x.0/30 link#1 UC 0 0 1500 de0
x.x.x.8/29 link#2 UC 0 0 1500 de1
x.x.x.32/27 link#3 UC 0 0 1500 de2
I'm not sure that arp could manage to proxy three differents subnets, but with
two, there are no problems at all:
Let's say the subnet 2 (x.x.x.8) is still in x.x.x.0/24 for the net: all I have
to do is to publish the MAC address of the router for all IPs inside x.x.x.8.
All the machines in subnet x.x.x.8 would know thy are in that subnet, and their
gateway would be x.x.x.9.
(in fact, I think linux's arp can manage to proxy complete subnets, which Obsd
can't: it need to be checked)
By the way, asking your ISP to change his routing tables once the disgn of your
network is made would be a beter solution.
Marc Dubrowski
Kind of a Network Administrator
K.B.I.N.I.R.Sc.N.B.
29 rue Vautier B-1040 Brussels, Belgium
Reply to:
- References:
- Firewall
- From: "Derek Wueppelmann" <dwueppel@libraxus.com>