Hi, I have a quick question regarding firewalling using Firewall on CD and routing. The firewall on CD manual advises not to route packets, but to proxy wherever possible, and in the absence of a proxy for my particular application, I am looking to find out if what I want to do can be done without routing, and where the routing may need to be deployed. My opinion differs with the ISP, and I need a second opinion before I concede defeat or demand victory. The setup is that our office facility has a leased line terminating in a router, and provides internet connectivity to multiple clients from the one line. The router which the line terminates in is x.x.x.2 and every IP address we have traceroutes through that router. We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router. I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ. Outgoing traffic will be fine, but it is my understanding that inbound traffic on the leased line needs to know that it must route through x.50 in order to reach the servers located in the DMZ. I will configure the routing in the firewall. I have requested to the ISP that routing changes be made to x.2 so that all traffic for IP address x.51..63 be routed through my firewall located on x.50. The ISP says no, its not needed, it will work without it. I say he's an idiot. I went over his head to his manager, who also maintains that the routes are not needed to be added, and that its a waste of time, and I say that he's an idiot too. Can anyone out there confirm that these two guys are idiots, or is it me? TIA, Tom Crowe tom@songfield.com
Hi Tom, hi list!
[...] We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router. I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ.
One possible solution is to activate proxy-ARP on your firewall machine for the internal and external interface, and give both interfaces the same IP number, in your case x.x.x.50. router firewall ---------- ------------ ISP ----|.2 .49|----|.50 .50|-----DMZ ---------- ------------ eth1 eth0 The router will now "see" the hardware address of eth1 for all machines in the DMZ, and these will see the hardware address of eth0 both for x.x.x.50 and x.x.x.49. The firewall machine should route packets to x.x.x.49 over eth1 and all the rest over eth0. No changes are needed on the DMZ machines, they will only see one more hop in a traceroute. Alternatively, you could use the "bridging toolkit", which currently is not included in the SuSE distributions (it's still under development). This would allow to have a firewall without IP address. Hope this helps a bit. Best wishes, Nico van Eikema Hommes -- Dr. N.J.R. van Eikema Hommes Computer-Chemie-Centrum hommes@chemie.uni-erlangen.de Universitaet Erlangen-Nuernberg Phone: +49-(0)9131-8526532 Naegelsbachstrasse 25 FAX: +49-(0)9131-8526565 D-91052 Erlangen, Germany
One possible solution is to activate proxy-ARP on your firewall machine for the internal and external interface, and give both interfaces
Hi all, the
same IP number, in your case x.x.x.50.
router firewall ---------- ------------ ISP ----|.2 .49|----|.50 .50|-----DMZ ---------- ------------ eth1 eth0
The router will now "see" the hardware address of eth1 for all machines in the DMZ, and these will see the hardware address of eth0 both for x.x.x.50 and x.x.x.49. The firewall machine should route packets to x.x.x.49 over eth1 and all the rest over eth0. No changes are needed on the DMZ machines, they will only see one more hop in a traceroute.
OK this is a solution, also received a NAT solution offlist which would eliminate the need for using public IP's in the DMZ, and thanks for both of these. I guess what I am really asking is not is there a solution to avoid routing, but how is it done in the real world? What is the proper way to do it? If I do one of the above, am I implementing a hack to get around an ISP restriction, or should it be done using routing, or is this the way everyone does it? TIA, Tom tom@songfield.com
* Tom Crowe wrote on Thu, Jul 04, 2002 at 14:27 +0100:
I guess what I am really asking is not is there a solution to avoid routing, but how is it done in the real world? What is the proper way to do it? If I do one of the above, am I implementing a hack to get around an ISP restriction, or should it be done using routing, or is this the way everyone does it?
I know that ISPs sometimes make such funny statements. Well, of course there is a chance to hack it that it will work - but who likes an unclean uplink? Proxyarp can be nice in some cases, but I wouldn't like it on a firewall... I would suggest you to find a web page describing basic IP routing, search for a nice URL like ipfordummies or such :) and post the link to the ISP. Give them a backdoor like "it seems that you misunderstood my configuration" and send them the routing table entry. I know that problem, and I know ISPs that told they had updated their routers configuration, but do not trust them - use arp and of course tcpdump to check if they did. And if it works, poweroff and poweron their router, and if it stops working after it, post them that you had a powerloss and it stopped working and kindly ask if it would be possible to permanently store the bloddy config in their damned router. You may think it's funny, but we had such a problem with a non-permanent routing entry and had a complete fail after a powerloss! Do not assume that the ISP contact person knows anything about IP... Maybe you can get tech contacts. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Thursday 04 July 2002 03:11, Tom Crowe wrote:
We have a block of 16 IP addresses from the block of 256 available, we have x.x.x.49..63 all in its own subnet with an appropriate subnet mask to keep the broadcasts local. The ISP installed some type of dumb gateway on 49 to allow our outgoing traffic reach the router on x.x.x.2 without being in the same subnet as that router, but all incoming traffic avoids the gateway on .49 All taceroutes for any of our 16 IP's route up to and including x.2 router.
I propose to place a firewall with public interface on .50 and split the remaining IP addresses, x.51..63 into a disjoint network which I shall use as a DMZ. The dmz is intended to run http server, pop, smtp, and a special demo server and another server running VNC server. I propose to have the firewall route this traffice if it reaches the external interface for somthing in the DMZ.
From your setup I understand you have a /28 net with 16 IPnumbers, of which 13 are useable by you. You can split that up into two /29 nets containing 8 IPnumbers of which 5 are useable (deducting one IP each for a network-, broadcast- and gateway-). But splitting then would occur at
the 48-55 / 56-63 boundary, not 'everything above 51'. As there is NO netmask that will fit that range 51-63 your ISP can (and will) not route that. Which, IMHO, makes perfect sense for them indeed. However, they _should_ NOT have objections against splitting your range into two /29 s and routing that. Most certainly the packets will not 'automatically' find their way without them routing it differently, so yes, in that aspect they are surely idiots... However, I will repeat here that splitting up like you intended (51-63) is _not_ possible, not through proper routing anyway.
Outgoing traffic will be fine, but it is my understanding that inbound traffic on the leased line needs to know that it must route through x.50 in order to reach the servers located in the DMZ. I will configure the routing in the firewall.
I have requested to the ISP that routing changes be made to x.2 so that all traffic for IP address x.51..63 be routed through my firewall located on x.50.
The ISP says no, its not needed, it will work without it. I say he's an idiot. I went over his head to his manager, who also maintains that the routes are not needed to be added, and that its a waste of time, and I say that he's an idiot too.
Can anyone out there confirm that these two guys are idiots, or is it me?
They're idiots. But maybe they know what must be done but don't want to ? Maybe they are under no obligation to let you subnet ? Who knows...? Good luck with it, Maarten -- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273
participants (4)
-
Maarten J H van den Berg
-
Nico van Eikema Hommes
-
Steffen Dettmer
-
Tom Crowe