TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TCLUG:3868] Firewalling / Routing

> My questions are these:
> - - Would forwarding (using ipfwadm) packets from the protected hosts
> through the wall preserve their original, originating hardware address ?
> This would cause the RJ45 port to "remember" it so the rest of the routers
> in the building can know where to send packets destined for it.
> - - If yes or no, how would a machine outside the wall know that it would
> need to go through the wall to reach one of the protected hosts (if it
> knew its ip address, for example) ?
> - - Am I missing something crucial here ? I'm kinda drawing a blank on how
> this should work. I've only used firewalls in situations where ip masq was
> involved, prior to this.

	AFAIK, there is no way to use IP masquerading and still preserve your
registered, routable IP address on machines inside as they go through the
	What I've usually done is set up the firewall to be outgoing only, and put
machines which must be world-accessible *outside* of the wall.  It might be
a good idea to have a second firewall, doing plain old routing, outside of
that (so, essentially, you have a DMZ area between two firewalls which is
not as protected as the stuff inside your ipmasq firewall, but is not
totally exposed either).
	My philosophy has always been that if a machine is going to be
world-accessible, then you should secure that machine to the best of your
ability, then hang it outside the firewall and make sure you're monitoring
it and keeping good backups.
	Remember, also, that having world-accesible machines inside your firewall
can be a hazard.  If I can somehow exploit whatever services are running on
those machines, I may be able to introduce malicious programs into your
network, use SNMP to browse your internal net, or otherwise set up some kind
of base of operations within your system, defeating the whole point of the
firewall -- kinda like going around the Maginot Line, to continue with the
military metaphors.
	Another possibility which just occured to me would be to use one firewall
with three NIC cards - one each for internal ipmasq'ed machines,
world-accessible routable machines and the Internet.  Setting this up can
get complicated, but I think it should be possible.

	Of course, if you're planning to do VPN or somesuch thing, where access to
internal machines is encrypted and tightly controlled, then you have less of
a problem.  Nonetheless, it may be wise to keep those machines seperate from
the rest of your network.