ADSL Bridging/Firewall Issues.....

["Andrew Fremantle" <temp1274 () tempest yi org>]

Okay, i'm sure you've had many ADSL Firewalling questions in here before,
and i've read some of your archives and didn't find anything that matched my
situation properly.

Let me describe my existing (no firewall) setup. IPs are fake, but the range
is right.

There's a hand-drawn diagram available at
http://tempest.yi.org/skyhawk/firewall/network.jpg
Of the four drawings, the two you want to be looking at are "Currently" and
"Proposed"

You can safely ignore the hub in the drawings, it's only there because it's
got a bandwidth meter on it. It serves no function and merely acts as a
pass-though.

ADSL Router - 209.53.0.0/18 -- 209.53.0.0 - 209.53.63.255 I think
All my machines use 209.53.36.254 as the default gw, and have 255.255.192.0
assigned as the netmask.
I believe this means my ISP have supernetted a bunch of class Cs, and then
subnetted it down at their router to reduce IP wastage. I've only ever seen
any of my machines have IPs in the 209.53.36.* and 209.53.37.* range.

ADSL Modem -- Seems to be a bridge, transparent to the network

10Base Stupid Ethernet Switch
Asante FriendlyNet -- Can only remember 32 MACs, but it does the job

Four computers attached to the switch. IPs are on the ASCII-art diagram.
I don't think it really matters, but the OS/s are Win2k, Win98, FreeBSD, and
Red Hat Linux. The Linux box isn't really mine, it's just parked on my
connection.

 -------------
| ADSL Router |
 -------------
 |
 -------------
| ADSL Modem  |
 -------------
 |
 ---------------------------------------
| Switch (All IPs are 209.53.)  |
 ---------------------------------------
 | | | |
 37.140 36.25 37.125 36.74

Okay, all IPs are dynamically assigned via DHCP.

I've got two problems with this setup :

1) The ADSL Router is doing proxy-arp for the entire IP subnet. Any time one
of my computers wants to talk to another one, it sends an arp who-has asking
for a hardware address. The router hears the request and replies with ITS
OWN MAC address, making all my LAN traffic go over the ADSL link. This
absolutely brutalizes performance.

Currently all 4 computers have scripts that they run on startup, calling the
arp command to statically assign IP-MAC addresses. Any time an IP changes, I
have to go update the bloody scripts.

2) Lack of packet filtering. In particular, I must run Windows Networking
over IP to talk to my Samba server, and I know for a fact this is wide open
on the net.

So? Any suggestions? Currently i've got an additional FreeBSD box up on the
network, acting as a Bridge between my switch and the modem. It has two
interfaces, neither of which is configured for IP, and isn't filtering
(yet). This lets me solve my security issues, but I would like to solve my
ARP issues as well. I can either tell FreeBSD to allow ARP to bridge
(keeping my current problem) or tell it NOT to allow ARP to bridge (Breaking
ARP completely). As far as I can determine, there is no way for me to do any
kind of Proxy ARP with Bridging, and the bridge has empty ARP tables.

I'd like to keep full connectivity, except for the stuff i'm going to filter
(Like Windows Networking). I'm running multiple servers and I like online
gaming, and NAT is not friendly to either of these options, especially the
gaming. I'm partial to FreeBSD but if it isn't the right tool for the job
i'm willing to experiment with something else.


Sorry for the lengthy post, and if this exact or a very similar scenario has
been discussed elsewhere, please point me to it so I can read up. I am
subscribed to the list, but if you want to reply off band for some reason,
please email me at firewall@at () tempest yi org.

Andrew Fremantle

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards