RE: [TCLUG:3868] Firewalling / Routing

To: tclug-list@listserv.real-time.com
Subject: RE: [TCLUG:3868] Firewalling / Routing
From: Ben Kochie <ben@nerp.net>
Date: Wed, 03 Feb 1999 00:42:57 -0600 (CST)
In-Reply-To: <Pine.LNX.v.Donut_4.05.9902030105290.48-100000@itsmy.jellyd.org>
Sender: ben@microq.nerp.net

this is going to require lots of net-howto and man page reading.. you are going
to need to look at routed to provide the proper routing.. the router will
basicaly picup transfer and respond for the machines on internal side of the
firewall.. this will probably require ARP tables to provide the outside nework
with a an ethernet presance on the outside netowrk.. (not fun, but reqired)

On 03-Feb-99 Jelly Donut wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sorry for the long message, but ..
> 
> I've been allowed to setup an experimental Linux firewall at work (yay!)
> on our testbed set of machines, for potential implementation for the
> entire building. I had it all setup and working fine using ip masq the
> usual way .. but now I need the machines behind the firewall to have
> real-world IP addresses because they're going to represent our major
> database servers.
> 
> The physical setup in the office has the firewall with its two nics, one
> plugged into the wall and the other plugged into the hub containing the
> client testbed.  Due to our limited IP pool, the machines on both sides of
> the firewall need to be in the same subnet (100.200.300.x, for example).
> 
> As I have it setup now, the routing table for the firewall explicitly
> routes to each of the hosts that are behind it (because they're on the
> same subnet I can't just map the subnet to one side or another):
> 
> Kernel IP routing table
> Destination     Gatewaă         Genmask         Flaags Metric Ref    Use
> Iface
> 100.200.300.10  0.0.0.0         255.255.255.255 UH    0      0        4 eth1
> 100.200.300.11  0.0.0.0         255.255.255.255 UH    0      0        2 eth1
> 100.200.300.12  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
> 100.200.300.0   0.0.0.0         255.255.252.0   U     0      0      247 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        2 lo
> 0.0.0.0         100.200.300.1   0.0.0.0         UG    1      0      159 eth0
> 
> 
>   where 100.200.300.{10,11,12} are the testbed machines (behind the
> firewall), and the gateway for the entire subnet (not just behind the
> wall) is 100.200.300.1 .
> 
> The firewall forwarding table is setup as:
> 
> IP firewall forward rules, default policy: deny
> type  prot source               destination          ports
> acc   all  0.0.0.0/0            100.200.300.10       n/a
> acc   all  100.200.300.10       0.0.0.0/0            n/a
> acc   all  0.0.0.0/0            100.200.300.11       n/a
> acc   all  100.200.300.11       0.0.0.0/0            n/a
> acc   all  0.0.0.0/0            100.200.300.12       n/a
> acc   all  100.200.300.12       0.0.0.0/0            n/a
> 
> using ipfwadm lines like:
> 
> /sbin/ipfwadm -F -i accept -S <protected_host> -D 0.0.0.0/0 \
>       -V 192.168.0.13 -W eth1
> /sbin/ipfwadm -F -i accept -S 0.0.0.0/0 -D <protected_host> \
>       -W eth0
> 
>   where 192.168.0.13 is the internal, unpublished, on-the-hub-only IP
> address of the firewall, eth0 is the external (outside-world) nic, and
> eth1 is the internal (on-the-hub) nic.
> 
> A few things about the network connections in the office:
> 
> + Each RJ45 port on the wall will remember up to four nic hardware
> addresses at a time.
> 
> + The testbed hub contains a total of four hosts (three behind the wall +
> the wall itself) so the RJ45 port on the wall should be filled to its
> limit.
> 
> 
> My questions are these:
> 
> - - Would forwarding (using ipfwadm) packets from the protected hosts
> through the wall preserve their original, originating hardware address ?
> This would cause the RJ45 port to "remember" it so the rest of the routers
> in the building can know where to send packets destined for it.
> 
> - - If yes or no, how would a machine outside the wall know that it would
> need to go through the wall to reach one of the protected hosts (if it
> knew its ip address, for example) ?
> 
> - - Am I missing something crucial here ? I'm kinda drawing a blank on how
> this should work. I've only used firewalls in situations where ip masq was
> involved, prior to this.
> 
> Thanks.
> 
> - --
> [------------------------------------------------------------------------]
>| Josh Becker                      - aka -                        JellyD |
>| email: jellyd@jellyd.org                            IRC: EFnet, DALnet |
> [------------------------------------------------------------------------]
> -----BEGIN PGP SIGNATURE-----
> Version: GNUPG v0.4.3 (GNU/Linux)
> Comment: For info finger gcrypt@ftp.guug.de
> 
> iD8DBQE2t+wYcmkpI69BOLwRAgm7AJ9mEEI1YGv7bRbhRWhwMP/e99Sf9QCeMGnx
> qKLNyLADccXwAbLkXnszatI=
> =Co3s
> -----END PGP SIGNATURE-----
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com

Thank You,
        Ben Kochie (ben@nerp.net)

*-----------------------*  [ - * - * - * - * - * - * - * - ]
| Unix/Linux Consulting |  [ Haiku Error Message:          ]
|  PC/Mac Repair        |  [  Chaos reigns within.         ]
|   Networking          |  [  Reflect, repent, and reboot. ]
| http://nerp.net       |  [  Order shall return.          ]
*-----------------------*  [ - * - * - * - * - * - * - * - ]

 "Unix is user friendly, Its just picky about its friends."

References:
- Firewalling / Routing
  - From: Jelly Donut <jellyd@jellyd.org>

Prev by Date: Firewalling / Routing
Next by Date: Re: [TCLUG:3866] Fixed (sort of) -- Multiple NE2000 cards
Prev by thread: Firewalling / Routing
Next by thread: RE: [TCLUG:3868] Firewalling / Routing
Index(es):
- Date
- Thread