[jochen@teg-me.de: [suse-security] Firewall with SuSE 6.2]
Hi,
check out www.suse.de/~marc
The SuSEfwirewall 1.1 should be much better than the stuff on the current
distribution.
cheers
afx
----- Forwarded message from Jochen Mader
Hi, check out www.suse.de/~marc The SuSEfwirewall 1.1 should be much better than the stuff on the current distribution. cheers afx
Thanx to afx for that link, but the real problem is still there. Has anybody any idea how to do the following: I got a network with 16 hosts on one side of the firewall (exactly those are the hosts I want to protect) and one host from that network (the router) has to be on the other side of the firewall, cause that's where evil traffic is coming from. My question is: Is it possible to do WITHOUT subnetting? I tried almost everything but it still doesnt't work: I can ping both devices of the firewall from the hosts on the inside, I can ping both devices of the firewall from the router and I can ping the internal hosts and the router from the firewall, but I can't ping an internal host from the router or the router from an internal host (spoof-protection is disabled).
Hi, you might want to try using proxy arp. It is not exactly avoiding subnetting, but the other hosts on your network need not really know about it. Assuming you have for example - Addresses 192.168.0.0/28 (thats 16 IP addresses) - eth0 on the router side - eth1 on the "protected" side Choose your subnet for the protected side, e.g. 192.168.0.8/29 (8 IP addresses). Then configure your interfaces: eth0: 192.168.0.1 netmask 255.255.255.240 eth1: 192.168.0.9 netmask 255.255.255.248 This leaves you 192.168.0.2-192.168.0.7 (inclusive!) on the router side (eth0) and 192.168.0.10-192.168.0.14 on the "protected" side for other machines. Your firewall knows where to send packets because the netmask on eth1 is more specific and the route is therefore preferred. Then you configure static arp entries: arp -i eth1 -Ds 192.168.0.0 eth1 netmask 255.255.255.248 pub arp -i eth0 -Ds 192.168.0.8 eth0 netmask 255.255.255.248 pub You can view arp entries with arp -an. As you see above, you have to configure the entries on one interface for the addresses that are reached by the _other_ interface. All the other machines in the network have to use 255.255.255.240 as netmask. They reach the hosts on the other side of your firewall with the ARP mechanism. The ARP requests for machines on the other side are always answered by your firewall, so packets are sent to it. Of course you have to enable IP forwarding. On the protected side, you now can use your external routers address as gateway just as it was without the firewall. This worked with kernel 2.0.36, I hope the current kernels still don't mind assigning overlapping address ranges to different interfaces :-) Regards Matthias At 15:13 15.10.1999 +0200, Jochen Mader wrote:
Hi, check out www.suse.de/~marc The SuSEfwirewall 1.1 should be much better than the stuff on the current distribution. cheers afx
Thanx to afx for that link, but the real problem is still there. Has anybody any idea how to do the following: I got a network with 16 hosts on one side of the firewall (exactly those are the hosts I want to protect) and one host from that network (the router) has to be on the other side of the firewall, cause that's where evil traffic is coming from. My question is: Is it possible to do WITHOUT subnetting? I tried almost everything but it still doesnt't work: I can ping both devices of the firewall from the hosts on the inside, I can ping both devices of the firewall from the router and I can ping the internal hosts and the router from the firewall, but I can't ping an internal host from the router or the router from an internal host (spoof-protection is disabled).
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (3)
-
Andreas Siegert -
Jochen Mader -
Matthias FERDINAND