Hi all! I want to protect our network with a firewall that should run on a SuSE machine (kernel 2.2 stable). There is a router that provides a permantent DSL connection to the net. Normaly this router is the gateway for all machines on the local net - but not I want to put a firewall between. The network has official ip addresses and all machines shall use these, which means that I do not want to have masquerading. So I have put the firewall machine between router and local net. I have switched on ip_forwarding and - for testing - have set up all ipchains to ACCEPT. Now it should route/forward everything, yes? But it doesn't. I can ping the firewall machine both from outside and from inside. But I cannot reach another host in the network from outside (and the other way around). When I try to ping a host in the network from outside I get a answer from my dsl router that this host is not reachable. Maybe the problem is here, I don't know... Do you have an idea? Thanx a lot! Michael
I want to protect our network with a firewall that should run on a SuSE machine (kernel 2.2 stable).
There is a router that provides a permantent DSL connection to the net. Normaly this router is the gateway for all machines on the local net - but not I want to put a firewall between.
The network has official ip addresses and all machines shall use these, which means that I do not want to have masquerading. This is a bit difficult, because you have the same subnet on both sides of the linux box. It is much easier, to get a single official IP for the firewall, and a subnet behind the firewall (also official). If you can't get new ip adresses, you may need to do ethernet-bridging and firewalling, maybe there is a howto?
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
I want to protect our network with a firewall that should run on a SuSE machine (kernel 2.2 stable).
There is a router that provides a permantent DSL connection to the net. Normaly this router is the gateway for all machines on the local net - but not I want to put a firewall between.
The network has official ip addresses and all machines shall use these, which means that I do not want to have masquerading. This is a bit difficult, because you have the same subnet on both sides of the linux box. It is much easier, to get a single official IP for the firewall, and a subnet behind the firewall (also official). If you can't get new ip adresses, you may need to do ethernet-bridging and firewalling, maybe there is a howto?
Strange... I thought enabling IP_FORWARD will route all traffic from one NIC to the other? I also have configured route.conf to send traffic for the local network to the NIC that is connected whith this network. All other traffic is routed to the default gateway which is my DSL router. This works pretty good at the moment. Only forwording doesn't work. Michael
Strange... I thought enabling IP_FORWARD will route all traffic from one NIC to the other?
No. that enables you to move packets. You still have to setup interfaces and routing. If you want NAT/IPMASQ you need to install ipchains/iptables and setup appropriate rules to do so.
I also have configured route.conf to send traffic for the local network to the NIC that is connected whith this network. All other traffic is routed to the default gateway which is my DSL router. This works pretty good at the moment. Only forwording doesn't work.
Ehhh. you may want to study up on routing. Default routes for example point to an external IP, on an interface. Pointing it out an interface isn't enough.
Michael
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
I hope I got that right: YOu got the sam subnet on both sides of the firewall? If that is true then the only way to get this to work is to use the arp-cache of the kernel (not easy). I'd suggest the following solution: Your router has two interfaces, one pointing to the internet and one to the inside. Assign a private subnet to the internal interface. Asign the same subent to the external interface (the one that is talking to the router). Now add the static routes to the router and the firewall to tell 'em that all traffic has to go through this private subnet and you are done.
From: jochen mader [mailto:jochen@teg-me.de]
I hope I got that right: YOu got the sam subnet on both sides of the firewall? If that is true then the only way to get this to work is to use the arp-cache of the kernel (not easy). I'd suggest the following solution: Your router has two interfaces, one pointing to the internet and one to the inside. Assign a private subnet to the internal interface. Asign the same subent to the external interface (the one that is talking to the router). Now add the static routes to the router and the firewall to tell 'em that all traffic has to go through this private subnet and you are done.
That system would (AFAIK) work. I've seen in in use once. Your routes would look like this 1.2.3.0/24 -- your official subnet DSL-Router: eth0: external device official ip address eth1: internal device private address 192.168.0.1 1.2.3.0 netmask 255.255.255.0 gw 192.168.0.2 dev eth1 default dev eth0 firewall: eth0: external -- connected by crossover cable to dsl-router 192.168.0.2 eth1: internal -- connected to your subnet official ip address != dsl-router-address 1.2.3.0 netmask 255.255.255.0 dev eth1 default gw 192.168.0.1 dev eth0 all other hosts have to be routed through the firewall (its official address). Should work?! Greets, Andreas
Hi Michael, What you want can be done with the bridging code. I've done that several times using kernel 2.2.16 and bridging patches which are published on http://www.math.leidenuniv.nl/~buytenh/bridge/. There you will also find how to do it. In usr/share/doc/howto/minihowto you can find a minihowto about bridging. Advantage of this kind of bridging: you only need one ip adress and there is no routing. Disadvantage: you lose certain ipchains functionality just as defining policies. Please read more on the bridging homepage. We've done penetration testing against the bridge. It was ok. hth Philipp
Hi all!
I want to protect our network with a firewall that should run on a SuSE machine (kernel 2.2 stable).
There is a router that provides a permantent DSL connection to the net. Normaly this router is the gateway for all machines on the local net - but not I want to put a firewall between.
The network has official ip addresses and all machines shall use these, which means that I do not want to have masquerading.
So I have put the firewall machine between router and local net. I have switched on ip_forwarding and - for testing - have set up all ipchains to ACCEPT. Now it should route/forward everything, yes? But it doesn't. I can ping the firewall machine both from outside and from inside. But I cannot reach another host in the network from outside (and the other way around).
When I try to ping a host in the network from outside I get a answer from my dsl router that this host is not reachable. Maybe the problem is here, I don't know... Do you have an idea? Thanx a lot!
Michael
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Michael,
There is a router that provides a permantent DSL connection to the net. Normaly this router is the gateway for all machines on the local net - but not I want to put a firewall between.
The network has official ip addresses and all machines shall use these, which means that I do not want to have masquerading.
As an alternative, if you have sufficient "Official" or public IP addresses , you could subnet those at the router and give the rest to the firewall and internal network. You could then still have a routed network. It would mean a config change on the DSL router though. Regards James -- http://www.deiknumi.com
participants (7)
-
Andreas Achtzehn -
James Leroux -
jochen mader -
Kurt Seifried -
Markus Gaugusch -
Michael Neumann -
Philipp Snizek