[TCLUG] Firewall/Router Setup

Tue Jul 16 08:34:36 CDT 2002

Greetings,

I was faced with exactly the same problem as you.  What I ended up doing
was using two seperate firewalls (probably overkill, I know).

I'm using an OpenBSD bridging firewall just inside the Cisco 675.  The
bridging firewall is transparent to the network (i.e., it doesn't have an
IP address assigned to either of it's interfaces).  All traffic that comes
in on one address is passed through the ipf rules set, with anything
passing the rules being passed out the other interface.

Behind that I've got a little 8-port hub.  This serves as my DMZ.  One of
the ports is connected to a Linux-based firewall that does additional
filtering, and does NAT for the private portion of my network.  This
firewall has one of my assigned IPs on it's outside interface.

This lets me use the remainder of my assigned IPs for boxes in my DMZ, and
I don't need to mess with doing NAT for my web/mail/DNS server.

When I set this up the linux bridging code wasn't nearly as functional as
it is today, so you may be able to do something similar entirely in linux
today.  The linux bridging code can be found at bridge.sourceforge.net.

Jeff

On Mon, 15 Jul 2002, Nathan Davis wrote:

> Hi,
>
> We have a Cisco 675 DSL router connecting the local network to the
> Internet.  I'd like to put a firewall between the LAN and the Internet.
> We have a block of 8 address (6 after account for broadcast and network
> address), and don't want to use any more than necessary.
>
> The Cisco is operating in ppp mode (bridging mode *might* work, but we
> don't have a management cable to get it back out if it doesn't), so that
> burns one address.  The firewall would require two more addesses, which
> would leave only three for the rest of the network.  Obviously, I'm
> looking for a way to free up some of these addresses.  NAT is not an
> option for some machines.
>
> After thinking about this for awhile, I was wonding if I really need to
> use two *real* ip addresses on the firewall machine.  Or even if there's
> a way to set up a default route to an interface with no ip address
> assigned.  Another option might be to have the cisco (and possibly the
> firewall too) obtain an ip address via dhcp (I don't know how the other
> end might take this, though), or assign the interface connecting the
> firewall to the Cisco a "fake" address.
>
> Anyone have any suggestions -- what's worth trying, what won't work, new
> ideas, etc.?
>
> --Nathan Davis
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
>