Firewall Wizards mailing list archives
Re: Classes of firewalls (based on IP utilization)
From: "Crist Clark" <crist.clark () globalstar com>
Date: Mon, 26 Feb 2001 13:47:47 -0800
list tracker wrote:
So far, I have created the following types of firewalls: 1. One subnet (or even one IP) on the external interface, and another subnet of fake IPs on the internal, using NAT one <--> many. 2. One subnet of real IPs on the external, and one subnet of real IPs on the internal, with a next-hop route from the external subnet to the internal (said next hop route is set up on the router the firewall connects outwards to) I am wondering what can be done if I want to use ONLY real IPs, but I also only want to use ONE subnet. If I have a /24, with no subnets, and the router is .1, and the FW external is .2, and the FW internal is .3 and workstations are .4 - .254 ... is there a way to work this ? My thought is that a static route will have to be created on the firewall for every single workstation IP being protected. Is this correct? Further, is it an appropriate way to solve this problem (given the constraints of no subnetting and no NAT) ? Finally, are these the only three major ways of arranging IPs for firewalling - the three ways being: NAT (one to many, or a combination of one to many and some to some), two subnets of real IPs - one announcing the next one, and what I just described: one subnet, static route for each IP on the other side of the FW. Or are there some other, qualitatively different configurations ?
How about an actual routing firewall? And as for your problem, why not go from, Router:X.Y.Z.1 --- { Rest of X.Y.Z.0/24 net To, Router:192.168.X.1 --- 192.168.X.254:Firewall:X.Y.Z.1 --- { Rest of X.Y.Z.0/24 net -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Classes of firewalls (based on IP utilization) list tracker (Feb 26)
- Re: Classes of firewalls (based on IP utilization) Crist Clark (Feb 26)
- <Possible follow-ups>
- RE: Classes of firewalls (based on IP utilization) Todd Barlow (Feb 26)
- RE: Classes of firewalls (based on IP utilization) Loomis, Rip (Feb 27)