SunScreen stealth interfaces and DHCP

[Sebastian Birnbach <birnbacs () web de>]

Hi all,


I have been choking on this problem for some time now, maybe you can 
help me out.

In my home office, I am using a Sparc Station for firewall and NAT, and 
it talks to a DSL modem. To increase security, I want to migrate from 
IPF to SunScreen and use it in stealth mode /between modem and PPPoE 
interface/, before it does NAT on different interfaces:

  DSL modem
     |
     |
    hme2 (stealth mode)
    hme2 (stealth mode)
     |
     x   (crossover cable)
     |
    hme0 (PPPoE, dynamic address)
    hme1 (private fixed IP)
     |
--|--|-|-|--| to rest of internal network



I figure that double-using SunScreen is legal, since all packets that 
pass through the stealth mode interfaces enter through a physical 
interface, and an IP packet is an IP packet. Thanks to Valerie Bubb's 
posting I now understand how to configure NAT on a dynamic IP address, 
no problem :)


So here comes the problem: to configure the stealth interfaces, I must 
know which IP subnet it lives in, and give this information in the 
'screen' definition as parameter STEALTH_NET. But with DHCP I don't know 
the network at configuration time. Any chance for a dynamic definition? 
Hmm, alternatively if there was a way to have stealth interfaces bridge 
different networks, I might use that. But how could I configure this, 
and what would be a good value for STEALTH_NET?


Please note that I don't want to do the stealth filtering /after/ the 
PPPoE, because by that time the packets are already inside the kernel.


Thanks a lot


        Sebastian
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards