Firewall Wizards mailing list archives
RE: Classes of firewalls (based on IP utilization)
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Tue, 27 Feb 2001 11:00:47 -0500
We've been in similar situations with our lab network here. I would concur with the recommendation below, to use a bridging firewall (or firewalling bridge). Best example in the commercial category is the Lucent Managed Firewall "brick" - 3 or 4 Fast Ethernet Interfaces, fancy Java GUI and server process, neato-whizbang features. It's still essentially a stateful packet filter, though, and costs fairly serious money...so you can also just throw two NICs into a current OpenBSD box and set up IPFilter. If you try the latter (or the former) and you have problems with the config, send me what you've got and I might be able to diagnose. (There are other bridging firewall solutions out there, I'm sure, but the two above are what I have personally used. I'd love to know of more, though...) Alternatively, you could subnet the class C, and have (for example) a /28 for the "DMZ" (inside router to external of firewall), and then a mish-mosh of small subnets for the rest of the interior. You've said that you don't want to do that, and it would be ugly and painful, so I include it only for completeness. The other alternative I've seen is to put NAT-capable proxy firewalls behind that packet-filtering router, and not put any critical systems on the actual Class C. We're using both this and OpenBSD boxen to allow us to shift our network architecture around quickly when we change what products/projects are active in our lab. Again, you said you only want to work with "real" IPs, and I would agree with that goal...but since you didn't provide a rationale, I would suggest that you might re-consider. YMMV, HTH, and good luck. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com
-----Original Message----- From: Todd Barlow [mailto:todd () lightspeedsystems com] Sent: Monday, February 26, 2001 3:25 PM To: 'list tracker'; firewall-wizards () nfr com Subject: RE: [fw-wiz] Classes of firewalls (based on IP utilization) I would suggest a Firewall that will allow for "bridging" between two (or more) Interfaces. In this mode, both Interfaces can be on the same subnet (but different network segments) and don't route traffic, only "bridge" it (layer-2) across segments. There may be other solutions, but this sounds easiest. Todd Barlow Lightspeed Systems, Inc. ph: 661.324.4291 http://www.lightspeedsystems.com -----Original Message----- From: list tracker [mailto:list_tracker () hotmail com] Sent: Sunday, February 25, 2001 02:43 AM To: firewall-wizards () nfr com Subject: [fw-wiz] Classes of firewalls (based on IP utilization) So far, I have created the following types of firewalls: 1. One subnet (or even one IP) on the external interface, and another subnet of fake IPs on the internal, using NAT one <--> many. 2. One subnet of real IPs on the external, and one subnet of real IPs on the internal, with a next-hop route from the external subnet to the internal (said next hop route is set up on the router the firewall connects outwards to) I am wondering what can be done if I want to use ONLY real IPs, but I also only want to use ONE subnet. If I have a /24, with no subnets, and the router is .1, and the FW external is .2, and the FW internal is .3 and workstations are .4 - .254 ... is there a way to work this ?
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Classes of firewalls (based on IP utilization) list tracker (Feb 26)
- Re: Classes of firewalls (based on IP utilization) Crist Clark (Feb 26)
- <Possible follow-ups>
- RE: Classes of firewalls (based on IP utilization) Todd Barlow (Feb 26)
- RE: Classes of firewalls (based on IP utilization) Loomis, Rip (Feb 27)