Firewall Wizards mailing list archives
RE: Firewall on the same subnet
From: "Kehoe, Anthony" <AKehoe () hsdinc com>
Date: Sat, 4 Nov 2000 20:26:49 -0600
Hi there, I think one question is whether your internal machines are going to have valid internet addresses, or protected-network addresses. If you have a class C assigned from your ISP, and want to give all your machines valid IP addresses but behind a firewall, then one thing you might want to look at is a bridging firewall with a linux box and two network cards. With some kernel patches to the bridging code, you are able to bridge two interfaces but also firewall, using IPCHAINS, traffic crossing the bridge. In effect, it allows you to have the firewall as a router, with the exception that it isn't routing. Consider: Internet -----> ADSL modem ------> firewall -------> hub ---------> machines Traffic, however, will not know the firewall is even there, as it does not need to be set up as a router. All machines behind the firewall can either use the firewall IP address, or the ADSL modem IP address. Since the firewall is bridging, to all intents and purposes the connection looks like: Internet -----> ADSL modem ------------------------> hub ---------> machines If you want to have a DMZ setup, like: Internet -----> ADSL modem ------> firewall 1 -------> hub ---------> machines | | | -----> firewall 2 ----------> hub ----------> internal machines Then you get two levels of firewall. Of course, you don't even have to have firewall 2 in there if you don't want to, as firewall 1 can also NAT the internal machine addresses, but you might want the extra security. The benefit of the bridging firewall setup is that you get to keep ALL your class-c addresses for use on hosts in the DMZ without having to subnet anything. You can subnet, and use a standard linux router, but you do lose some addresses. The bridge alleviates this problem. In addition, since the adsl modem is directly connected into the firewall, and the firewall is connected to the hub in series, there's no way of getting to the machines behind the firewall except by going through it. I haven't tried it, but I believe that with the linux bridging router, you can even take the IP address off the bridge. In effect, this makes the linux box totally invisible. IT doesn't even have an IP address, thus impossible to hack from the outside. You just have to keep up to date with any kernel difficulties or TCP/IP stack denials, and you're set. If you want all your machines to have protected-net IP addresses, then it's easier. Just install linux and read the firewall-HOWTO and see what it says about setting up IPCHAINS in a NAT environment. Regards, Anthony Kehoe Network Analyst AKehoe () hsdinc com 414.257.9900 x118 Heartland Software Development, Inc. 2525 N. Mayfair Road, Suite 300 Milwaukee, Wisconsin 53226 http://www.HSDInc.com -----Original Message----- From: Ivo Janssen [mailto:ivo () ivo nu] Sent: Thursday, November 02, 2000 7:37 AM To: firewall-wizards () nfr com Subject: [fw-wiz] Firewall on the same subnet I have a question about building a firewall that has both interfaces in 1 subnet. I've read a thread on the debian-firewall list (see http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I think my situation is a little different. In my case, an incoming ADSL line delivers a UTP cable that outputs traffic for our whole assigned C class subnet (let's say 1.1.1.x) Normally, I would just plug that into a switch and connect the 256 machines to it. But I want to put a firewall in between. So my situation will be: (scenario 1) ADSL-ISP ----- DSLAM-port ----- firewall ---- internal network <- external networks ->|<- 1.1.1.x network -> How do I route this in a good way, without resorting to going a level beneath IP, and getting into stuff like MAC, bridge, ARP. People keep telling me this is possible, and they give me the following situation: (scenario 2) DIALUP-ISP --- ISDN line --- Ascend router --- internal network <- external networks ->|<- 1.1.1.x network -> This is a situation we actually have at this point, where the Ascend router actually acts as a router, with IP adres 1.1.1.1, and the rest of the network sets 1.1.1.1 as default gateway. Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my internal net? Or should I just assign 1 IP to the whole fw-box? I keep on reading scenario 1 is so different from scenario 2 that scenario 2 can use "normal" routing, but scenario 1 needs hacks like Proxy ARP. The one thing I do not want is resort to route IP packets on MAC level with Proxy ARP, it just comes to me as a hack. Please, could someone tell me what the exact difference between scenarios 1 and 2 is, and what I should use if I want to make our internal network a fully routed part of the internet. Sincerely, Ivo -- +--------------------------------------------------------------------- | IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/ | Delft University of Technology - the Netherlands | finger ivo at server.ricardis.tudelft.nl for PGP and more info | Part of the world's largest computer: http://www.distributed.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall on the same subnet Ivo Janssen (Nov 05)
- Re: Firewall on the same subnet Danny Rathjens (Nov 06)
- Re: Firewall on the same subnet Luca Berra (Nov 08)
- <Possible follow-ups>
- RE: Firewall on the same subnet Kehoe, Anthony (Nov 06)