* David Gaudine (david@annette.concordia.ca) [030414 11:28]: > I've been reading about firewalls, and can't figure out what to put in > "interfaces" for my situation. I now think that the problem is I need a > bridge rather than the kind of firewall I was reading about. My > situation is: > > - Static IP with public addresses > - Gateway 132.205.50.1 is on the "internet" side, all other 132.205.50.x > on the "inside". This is why I can't figure out what to put in > "interfaces", since the net mask would put the gateway on the wrong > side. > - router is far away, and expects to be connected to a switch. My > understanding is that to use a firewall I'd have to get the gateway > configured to address everything to my firewall, and I don't want to > mess with the router. > > My questions are > 1) Am I right about needing a bridge? not necessarily. There are a few different ways you can do this. If you have enough addresses, you can subnet your address space. You could also just use NAT, and use DNAT for inbound connections to specific hosts. You can use proxy ARP and some static routing to do the right thing here. So you'll have something like this: Internet Gateway (132.205.50.1) Firewall external (132.205.50.2) Firewall internal (132.205.50.3) switch LAN hosts (132.205.50.x) Then do something like this on the firewall: ip route add 132.205.50.1 dev eth0 ip route add 132.205.50.0/32 dev eth1 So that it knows to send all of the 132.205.50.0/32 traffic to eth1 (internal) except for 132.205.50.1, which it sends to eth0. Then you'll have to set it up to proxy arp so that the gateway sees all of the internal machines via the firewall's external interface and the internal machines see the gateway via the firewall's internal interface. Alternatively, you can set up proxy arp in just one direction (so that the router can see the clients via the firewall's external interface) and just use regular IP routing in the other direction. This way, you don't have to mess with the router; just set the clients' default gateway to the firewall's internal interface. I realize this is kind of a half-baked answer, but at least hopefully it will give you an overview and some better keywords to search with. good times, Vineet -- http://www.doorstop.net/ -- #include<stdio.h> int main() { puts("Reader! Think not that \n" "technical information \n" "ought not be called speech;"); return 0; }
Attachment:
pgpA8Yb8hewNT.pgp
Description: PGP signature