Firewall Wizards mailing list archives
Re: Adding 2ndary IP to IPSO
From: Barney Wolff <barney () databus com>
Date: Sat, 24 May 2003 21:08:12 -0400
On Fri, May 23, 2003 at 04:12:18PM +0100, Babatunde A Jayeju-akinsiku wrote:
I have 32 public addresses on a 64kps line (upgrade is already in the pipeline). some of the addresses have already been ported to other firewalls. I am trying to port some services to different IP addresses on the checkpoint (plan is to do away with the other firewalls and put everything behind the checkpoint). the need to use different IP is to be able to manage bandwidth, services & traffic I am not allowed to use public IP addresses on internal servers even if it is passing through the firewall. Now going to your suggestion of using 255.255.255.255 as netmask I can see the reason why it'll work but isn't there any security implication of doing that?
I'm still not really clear on your setup. Here's what I'm guessing you
have, or want:
w.x.y.z/27 192.168.q.0/24
Internet---Router-------------FW1----------------Servers
where the FW1 is doing NAT and using which public address a request
is sent to, to determine which server handles it.
If that's the right guess, then I'd suggest the following instead:
192.168.j.0/30 192.168.q.0/24
Internet---Router-----------------FW1----------------Servers
where the FW1 advertises w.x.y.z/27 to the router (or the router simply
has a static route for that netblock that points to the FW1).
To answer the question of any security implication of a /32 netmask,
there is none. In FreeBSD (on which at least some Nokia boxes were
based) the primary address of an interface gets the real netmask, and
any aliases in the same netblock are given /32 netmasks to avoid having
two identical routes to the same netblock. But as I say above, I don't
think you need to do that at all.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Adding 2ndary IP to IPSO Baba Jayeju (May 22)
- Re: Adding 2ndary IP to IPSO Barney Wolff (May 23)
- RE: Adding 2ndary IP to IPSO Babatunde A Jayeju-akinsiku (May 24)
- Re: Adding 2ndary IP to IPSO Barney Wolff (May 24)
- RE: Adding 2ndary IP to IPSO Babatunde A Jayeju-akinsiku (May 24)
- <Possible follow-ups>
- RE: Adding 2ndary IP to IPSO Pieper, Rodney (May 24)
- RE: Adding 2ndary IP to IPSO Babatunde A Jayeju-akinsiku (May 24)
- Re: Adding 2ndary IP to IPSO Barney Wolff (May 23)