[TCLUG] Firewall/Router Setup

Tue Jul 16 13:04:25 CDT 2002

Thanks a bunch!  This looks *perfect* for what I want to do.  Redhat 7.3 even has
packages for it, and it looks like you can assign it an ip address as well (e.g.,
for remote access).  I don't mind using NAT for web services, etc., but I'm
running a small AFS cell as well, and that would pretty much break access to AFS
from the outside (which would be nice, but not absolutely necessary).  Now that I
think about it, it would be possible to use tunnelling to make it work for select
clients, but (a) this might be difficult to get working in windows and (b) it
would not work for general public access if I wanted to allow it sometime in the
future.

I'll check it out.  Thanks.

--Nathan Davis

jeffr at odeon.net wrote:

> Greetings,
>
> I was faced with exactly the same problem as you.  What I ended up doing
> was using two seperate firewalls (probably overkill, I know).
>
> I'm using an OpenBSD bridging firewall just inside the Cisco 675.  The
> bridging firewall is transparent to the network (i.e., it doesn't have an
> IP address assigned to either of it's interfaces).  All traffic that comes
> in on one address is passed through the ipf rules set, with anything
> passing the rules being passed out the other interface.
>
> Behind that I've got a little 8-port hub.  This serves as my DMZ.  One of
> the ports is connected to a Linux-based firewall that does additional
> filtering, and does NAT for the private portion of my network.  This
> firewall has one of my assigned IPs on it's outside interface.
>
> This lets me use the remainder of my assigned IPs for boxes in my DMZ, and
> I don't need to mess with doing NAT for my web/mail/DNS server.
>
> When I set this up the linux bridging code wasn't nearly as functional as
> it is today, so you may be able to do something similar entirely in linux
> today.  The linux bridging code can be found at bridge.sourceforge.net.
>
> Jeff
>
> On Mon, 15 Jul 2002, Nathan Davis wrote:
>
> > Hi,
> >
> > We have a Cisco 675 DSL router connecting the local network to the
> > Internet.  I'd like to put a firewall between the LAN and the Internet.
> > We have a block of 8 address (6 after account for broadcast and network
> > address), and don't want to use any more than necessary.
> >
> > The Cisco is operating in ppp mode (bridging mode *might* work, but we
> > don't have a management cable to get it back out if it doesn't), so that
> > burns one address.  The firewall would require two more addesses, which
> > would leave only three for the rest of the network.  Obviously, I'm
> > looking for a way to free up some of these addresses.  NAT is not an
> > option for some machines.
> >
> > After thinking about this for awhile, I was wonding if I really need to
> > use two *real* ip addresses on the firewall machine.  Or even if there's
> > a way to set up a default route to an interface with no ip address
> > assigned.  Another option might be to have the cisco (and possibly the
> > firewall too) obtain an ip address via dhcp (I don't know how the other
> > end might take this, though), or assign the interface connecting the
> > firewall to the Cisco a "fake" address.
> >
> > Anyone have any suggestions -- what's worth trying, what won't work, new
> > ideas, etc.?
> >
> > --Nathan Davis
> >
> > _______________________________________________
> > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> > http://www.mn-linux.org
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> >
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list