Mailinglist Archive: opensuse (3104 mails)

< Previous Next >
Re: [SLE] IP Masq / DHCP / Firewalling (Reply: LONG!)
  • From: agtiger@xxxxxxxxxxx (Argentium G. Tiger)
  • Date: Sun, 02 Apr 2000 17:29:07 -0500
  • Message-id: <3.0.5.32.20000402172907.008f36d0@xxxxxxxxxxxxxxxx>



At 03:48 PM 04/02/2000 +0000, Samy Elashmawy <samelash@xxxxxxxxxxxxx> wrote:

There's a lot of questions I have to answer. I'll try to be as clear as I can.

>long post , will take it home and study it.

That's a good idea. I wanted you to have something you could print out and use as a reference when making your changes.

>I see that you are also using dhcp? to pass out ips ?? Right

To answer your question briefly, yes. I use package 'dhcp' which is a DHCP Daemon (DHCPD) to hand out addresses to the machines on my internal network.

There are two packages you can install under series 'n' in yast: "dhclient" and "dhcp".

'dhclient' is the DHCP client.
Its configuration file is /etc/dhclient.conf
It is loaded at boot time only if the following setting is present
in /etc/rc.config:
DHCLIENT="yes"
Its job is to get an address from another machine's DHCP server.

Your dialup firewall does NOT need to run the 'dhclient' package (the dhcp client). wvdial will get your address for you when you connect, assign it to your "ppp0" interface, and modify your routing table accordingly.

'dhcp' is the DHCP server/daemon, which I sometimes call DHCPD.
Its configuration file is /etc/dhcpd.conf
It is loaded at boot time only if the following setting is present
in /etc/rc.config:
START_DHCPD="yes"
Its job is to provide addresses to other machines wanting to get ip addresses. You need to run this package somewhere on your network, either on your firewall, or on another machine.

>wow lots of detial here.

I try to be complete.

>>It sounds like you're preparing a firewall/dialout box that connects you
>to the internet whenever one of your machines on your internal nettwork
>needs IP services/a connection to the internet.
>
>Correct , hit the nial on the head.

Ok, piece of cake, my examples I provided in the last post should be very useful to you, since I pulled them off my firewall machine that works exactly how you want yours to. :-)

>>Ok, let's start with DHCP. I'm going to assume you mean DHCPD (the DHCP
>>daemon) that you want to control >what addresses the machines on your
>>internal network receive. Your dialout connection will provide you with
>>an address for your ppp0 link when you connect, so that angle is already
>>taken care of.

>Confusion here. DHCP is used to get the ips ip address that it assings to
>you each time you dial into it and start a connection. It then somehow
>passes/swaps/or hwahet ever it does this server assinged address with the
>ip masq configuration that expects the same ip adddress all the time.

You don't need to worry about the dhcp client software. wvdial.dod and wvdial will take care of this for you when you connect to the internet. It will get an ip address to bind to the "ppp0" device, and will modify the routing table accordingly.

>>My internal network has the following setup:
>>My firewall has eth0 configured as 192.168.1.1. It runs DHCPD to feed
>>addresses to my other machines on my internal trusted network. I have four
>>machines on the internal network: "fileserv", "agtiger", "bronze", and
>>"twilight".
>>DHCPD is configured to recognize the NIC card's hardware addresses and
>>provide static IP's based on that. I also have a dynamic range of
>>addresses available for unrecognized machines that hook to my network (ie,
>>a friend brings their box over and wants to hook to my network quickly and
>>easily).

>Now here where I start getting confused. You are using DHCP to pass out ip
>numbebers based on hardware settings ? mac adress or what ? do they get a
>diffrent one each time ?

I am using the DHCP Daemon (ie, DHCPD, configured via /etc/dhcp.conf) to pass out addresses to my internal workstations.

The firewall will provide a specific predetermined address if it recognizes the mac address of the card on the workstation making the request. It will provide a variable address from 192.168.1.200 to 192.168.1.220 if it does NOT recognize the mac address of the card on th workstation making the request.

The firewall is configured to use 192.168.1.1 on eth0, always. This can be configured through yast:

System Administration ->
Network configuration ->
Network base configuration

Number Active Type of network Device name IP address
[0] [x] Ethernet eth0 192.168.1.1

If you press <return> on that line, you'll get a configuration
screen. Here's what mine looks like:

Type of network: eth0
IP address of your machine: 192.168.1.1
Netmask (usually 255.255.255.0): 255.255.255.0
Default gateway address (if required):
IP address of the Point-to-Point partner:

The file server is to use a variable address assigned by running the dhcp client on eth0. This can be configured through yast:

System Administration ->
Network configuration ->
Network base configuration

Number Active Type of network Device name IP address
[0] [x] Ethernet eth0 dhcpclient

If you press <return> on that line, you'll get a configuration
screen. Here's what mine looks like:

Type of network: eth0
IP address of your machine: 192.168.1.10
Netmask (usually 255.255.255.0): 255.255.255.0
Default gateway address (if required): 192.168.1.1
IP address of the Point-to-Point partner:

Now, you might be wondering, if you specified an IP address
here, how does my file server get an address through the
dhcp client? Select < Continue >, and return to the previous
screen. Select "F3=Auto IP" and then < DHCP >. Now the
machine will get its address from the DHCP server on the
network (the firewall). :-)

My windows workstations are configured to get their addresses from the firewall in this way:

< Previous Next >
References