Firewall Wizards mailing list archives

Re: Classes of firewalls (based on IP utilization)

From: "Crist Clark" <crist.clark () globalstar com>
Date: Mon, 26 Feb 2001 13:47:47 -0800

list tracker wrote:


So far, I have created the following types of firewalls:

1. One subnet (or even one IP) on the external interface, and another subnet
of fake IPs on the internal, using NAT one <--> many.

2. One subnet of real IPs on the external, and one subnet of real IPs on the
internal, with a next-hop route from the external subnet to the internal
(said next hop route is set up on the router the firewall connects outwards
to)

I am wondering what can be done if I want to use ONLY real IPs, but I also
only want to use ONE subnet.  If I have a /24, with no subnets, and the
router is .1, and the FW external is .2, and the FW internal is .3 and
workstations are .4 - .254 ... is there a way to work this ?

My thought is that a static route will have to be created on the firewall
for every single workstation IP being protected.

Is this correct?  Further, is it an appropriate way to solve this problem
(given the constraints of no subnetting and no NAT) ?

Finally, are these the only three major ways of arranging IPs for
firewalling - the three ways being:  NAT (one to many, or a combination of
one to many and some to some), two subnets of real IPs - one announcing the
next one, and what I just described: one subnet, static route for each IP on
the other side of the FW.

Or are there some other, qualitatively different configurations ?


How about an actual routing firewall?

And as for your problem, why not go from,

  Router:X.Y.Z.1 --- { Rest of X.Y.Z.0/24 net

To,

  Router:192.168.X.1 --- 192.168.X.254:Firewall:X.Y.Z.1 --- { Rest of X.Y.Z.0/24 net  

-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Classes of firewalls (based on IP utilization) list tracker (Feb 26)
- Re: Classes of firewalls (based on IP utilization) Crist Clark (Feb 26)
- <Possible follow-ups>
- RE: Classes of firewalls (based on IP utilization) Todd Barlow (Feb 26)
- RE: Classes of firewalls (based on IP utilization) Loomis, Rip (Feb 27)