To really do firewalling proper, you will need different subnets. You can setup your linux box with two nics with ip addresses in the same range on both nics, enable ip forwarding and set all your workstations and servers to use that machine for their gateway (heck, you only need one nic for that) and that would handle outbound traffice. Incoming traffic is another matter. One solution, if you have control of your router is to change the route on the router and setup an invalid ip on the first nic in the linux box example internet ----- router ---------- linux box ------- lan (xxx.xxx.xxx.xxx/y) 192.168.1.1/30 192.168.1.2/30 xxx.xxx.xxx.xxx/y so if its a cisco router, you would do set ethernet interface ip to 192.168.1.1 255.255.255.252 and setup routing as follows. route ip xxx.xxx.xxx.xxx 255.255.255.0 192.168.1.2 which would send all traffic for your lan to the linux box which could then do packet filtering, logging and routing. this way, you dont need to change anything on your lan except maybe the default gateway. Of course, if you dont have a firewall now, and the gateway is the router, then you can just set the eth1 interface ip address on the linux box (the one connected to the lan) to the ip address of the router. Also, you could get by with just hooking the router and firewall up with a crossover cable and avoiding any switching issues. I have sucessfuly done this with OpenBSD but never tried doing any actual routing (other than masqing) with linux. On Mon, 16 Jul 2001, John Bland wrote:
Hi,
I'm having some bother setting up a firewall and although the problem is pure networking I just thought I'd check I'm not doing something stupid.
We have a network here with a large number of proper unique ip addresses. This is both for servers and workstations which people like to log into etc from offsite.
What I'd like to do is put in some 'seamless' firewalling, ie retain our unique ip addresses but firewall the connection to them to only allow secure connections and log the traffic. To do this I'm putting in a linux box with two NICs between our incoming connection and the primary hub.
I'm aware that using non-routables would be easier and more secure but that would mean a complete overhaul of our setup and messing about with proxies.
The problem is that this means the two NICs on the firewall are on the same subnet. There appears to be some problem with routing in this setup. I've not tried to do anything fancy just set up eth0 and eth1 as normal.
Any comments? I'd really rather avoid a wholescale move to 192.168.x.x if possible.
Cheers, JB
-- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com