Firewall Wizards mailing list archives
RE: NAT
From: Ben Nagy <bnagy () cpms com au>
Date: Tue, 27 Jul 1999 09:49:30 +0930
Urg. This is weird. Stuff inline... -- Ben Nagy Network Consultant, CPM&S Group of Companies Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-----Original Message----- From: Josh Sides [mailto:jzsides () stoneeagle com] Sent: Friday, July 23, 1999 6:49 PM To: firewall-wizards () nfr net Subject: NAT Hello, I am trying to put a firewall up and my ISPs suggestions seem to conflict with my documentation. We are going to put a public web server behind the firewall.
Okay. There's problem one. Do you have any amazingly good reason for not putting the public webserver in the DMZ? That's the "normal" way to do it... From what I have read we have to use NAT so that
people on the internet can access sites hosted on this server.
Assuming that you're using illegal or private IP addresses in your private network, then yes, that's right. If you used half of your "half a class C" as the internal network and half as the external network, then you wouldn't need NAT. Not that I'm advocating that.
The documentation says:
(oh joy)
Many routers must be configured so that the router uses a subnet mask that is greater than or equal to the firewall's subnet mask. If the public IP of web server is not the same as the firewall's non-secure IP, then the router must be configured such that it routes traffic for the web server via the firewall's non-secure IP address.
Uh, yeah okay. Kinda makes sense. If you use the firewall's IP address as the packet source after NAT then you don't need to worry about routing on the firewall. Seems straightforward.
The DMZ subnet includes the firewall's non-secure IP address. It also includes the IP addresses of any public servers that are placed outside the firewall. The DMZ subnet must not be the same as, or overlap with the Reserve(NAT Translation Pool) subnet.
Why not? I can think of some cases for this being nice design, but there's no reason why it should break anything. The only problem is if you assign an IP address to a machine and the same IP address gets used for NAT later. Lump 'em all in, I say, and just apply the Don't Be A Moron principle when assigning IP addreses to servers in the DMZ. This avoids horrible subnet / routing problems.
We have 1/2 of a class c range of IP address(209.51.10.128/25). I believe that we have to subnet this even further to meet the conditions named above. I am trying to subnet it like this:
[something evil from beyond time and space elided] Agh! Don't do that. Your netmasks are crazy and you just don't need that many subnets unless you're doing something impossibly complex that relies on the source IP address in the outside world.
The router is currently configured at 209.51.10.128/25. My ISP says that I do not have to do anything to the router for the firewall to work.
Sounds right to me. Even if you create some eldritch subnetting horror as in the original post, the router just needs to throw packets for anywhere in your range out of the correct interface - everything else is Your Problem. That's the joy of Classless Interdomain Routing. They
also said the Public port of the firewall will respond to all of the IP addresses that are in the NAT pool.
That's good. I have played with firewalls that don't respond to packets that they have just created NAT mappings for unless the packet is sent to the firewall on the MAC level. Ick.
Any Suggestions would be appreciated. Thanks Josh Sides StoneEagle Insurance Systems