Re: Firewall or bridge?

To: debian-user@lists.debian.org
Subject: Re: Firewall or bridge?
From: Vineet Kumar <debian-user@virtual.doorstop.net>
Date: Mon, 14 Apr 2003 12:57:59 -0700
Message-id: <[🔎] 20030414195759.GA5903@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 005301c302a0$7a8c8c00$0432cd84@sleepy>
References: <[🔎] 005301c302a0$7a8c8c00$0432cd84@sleepy>

* David Gaudine (david@annette.concordia.ca) [030414 11:28]:
> I've been reading about firewalls, and can't figure out what to put in
> "interfaces" for my situation.  I now think that the problem is I need a
> bridge rather than the kind of firewall I was reading about.  My
> situation is:
> 
> - Static IP with public addresses
> - Gateway 132.205.50.1 is on the "internet" side, all other 132.205.50.x
> on the "inside".  This is why I can't figure out what to put in
> "interfaces", since the net mask would put the gateway on the wrong
> side.
> - router is far away, and expects to be connected to a switch.  My
> understanding is that to use a firewall I'd have to get the gateway
> configured to address everything to my firewall, and I don't want to
> mess with the router.
> 
> My questions are
> 1) Am I right about needing a bridge?

not necessarily.  There are a few different ways you can do this.

If you have enough addresses, you can subnet your address space.

You could also just use NAT, and use DNAT for inbound connections to
specific hosts.

You can use proxy ARP and some static routing to do the right thing
here.

So you'll have something like this:

Internet
Gateway (132.205.50.1)
Firewall external (132.205.50.2)
Firewall internal (132.205.50.3)
switch
LAN hosts (132.205.50.x)

Then do something like this on the firewall:

ip route add 132.205.50.1 dev eth0
ip route add 132.205.50.0/32 dev eth1

So that it knows to send all of the 132.205.50.0/32 traffic to eth1
(internal) except for 132.205.50.1, which it sends to eth0.

Then you'll have to set it up to proxy arp so that the gateway sees all
of the internal machines via the firewall's external interface and the
internal machines see the gateway via the firewall's internal interface.

Alternatively, you can set up proxy arp in just one direction (so that
the router can see the clients via the firewall's external interface)
and just use regular IP routing in the other direction.  This way, you
don't have to mess with the router; just set the clients' default
gateway to the firewall's internal interface.

I realize this is kind of a half-baked answer, but at least hopefully it
will give you an overview and some better keywords to search with.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
#include<stdio.h>
int main() {
    puts("Reader! Think not that \n"
         "technical information \n"
         "ought not be called speech;");
    return 0;
}

Attachment: pgpA8Yb8hewNT.pgp
Description: PGP signature

Reply to:

References:
- Firewall or bridge?
  - From: "David Gaudine" <david@annette.concordia.ca>

Prev by Date: Re: Sound-recorder recording blank file
Next by Date: Re: portos commander
Previous by thread: Re: Firewall or bridge?
Next by thread: Re: Firewall or bridge?
Index(es):
- Date
- Thread