TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Firewalling / Routing

Hash: SHA1

Sorry for the long message, but ..

I've been allowed to setup an experimental Linux firewall at work (yay!)
on our testbed set of machines, for potential implementation for the
entire building. I had it all setup and working fine using ip masq the
usual way .. but now I need the machines behind the firewall to have
real-world IP addresses because they're going to represent our major
database servers.

The physical setup in the office has the firewall with its two nics, one
plugged into the wall and the other plugged into the hub containing the
client testbed.  Due to our limited IP pool, the machines on both sides of
the firewall need to be in the same subnet (100.200.300.x, for example).

As I have it setup now, the routing table for the firewall explicitly
routes to each of the hosts that are behind it (because they're on the
same subnet I can't just map the subnet to one side or another):

Kernel IP routing table
Destination     Gatewać         Genmask         Flaags Metric Ref    Use Iface
100.200.300.10 UH    0      0        4 eth1
100.200.300.11 UH    0      0        2 eth1
100.200.300.12 UH    0      0        0 eth1
100.200.300.0   U     0      0      247 eth0       U     0      0        2 lo         100.200.300.1         UG    1      0      159 eth0

  where 100.200.300.{10,11,12} are the testbed machines (behind the
firewall), and the gateway for the entire subnet (not just behind the
wall) is 100.200.300.1 .

The firewall forwarding table is setup as:

IP firewall forward rules, default policy: deny
type  prot source               destination          ports
acc   all            100.200.300.10       n/a
acc   all  100.200.300.10            n/a
acc   all            100.200.300.11       n/a
acc   all  100.200.300.11            n/a
acc   all            100.200.300.12       n/a
acc   all  100.200.300.12            n/a

using ipfwadm lines like:

/sbin/ipfwadm -F -i accept -S <protected_host> -D \
	-V -W eth1
/sbin/ipfwadm -F -i accept -S -D <protected_host> \
	-W eth0

  where is the internal, unpublished, on-the-hub-only IP
address of the firewall, eth0 is the external (outside-world) nic, and
eth1 is the internal (on-the-hub) nic.

A few things about the network connections in the office:

+ Each RJ45 port on the wall will remember up to four nic hardware
addresses at a time.

+ The testbed hub contains a total of four hosts (three behind the wall +
the wall itself) so the RJ45 port on the wall should be filled to its

My questions are these:

- - Would forwarding (using ipfwadm) packets from the protected hosts
through the wall preserve their original, originating hardware address ?
This would cause the RJ45 port to "remember" it so the rest of the routers
in the building can know where to send packets destined for it.

- - If yes or no, how would a machine outside the wall know that it would
need to go through the wall to reach one of the protected hosts (if it
knew its ip address, for example) ?

- - Am I missing something crucial here ? I'm kinda drawing a blank on how
this should work. I've only used firewalls in situations where ip masq was
involved, prior to this.


- --
| Josh Becker                      - aka -                        JellyD |
| email:                            IRC: EFnet, DALnet |
Version: GNUPG v0.4.3 (GNU/Linux)
Comment: For info finger