Hi, I'm having some bother setting up a firewall and although the problem is pure networking I just thought I'd check I'm not doing something stupid. We have a network here with a large number of proper unique ip addresses. This is both for servers and workstations which people like to log into etc from offsite. What I'd like to do is put in some 'seamless' firewalling, ie retain our unique ip addresses but firewall the connection to them to only allow secure connections and log the traffic. To do this I'm putting in a linux box with two NICs between our incoming connection and the primary hub. I'm aware that using non-routables would be easier and more secure but that would mean a complete overhaul of our setup and messing about with proxies. The problem is that this means the two NICs on the firewall are on the same subnet. There appears to be some problem with routing in this setup. I've not tried to do anything fancy just set up eth0 and eth1 as normal. Any comments? I'd really rather avoid a wholescale move to 192.168.x.x if possible. Cheers, JB -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
Hi John, My gut reaction is that this is a routing problem - Your external NIC wants to be set up (I think) on a "subnet of 1" so that the routing table can direct packets from a.b.c.x/255.255.255.0 to a.b.c.y/255.255.255.255 Hope this isn't a red herring... Maf. On 2001.07.16 14:24:14 +0100 John Bland wrote:
Hi,
I'm having some bother setting up a firewall and although the problem is pure networking I just thought I'd check I'm not doing something stupid.
We have a network here with a large number of proper unique ip addresses. This is both for servers and workstations which people like to log into etc from offsite.
What I'd like to do is put in some 'seamless' firewalling, ie retain our unique ip addresses but firewall the connection to them to only allow secure connections and log the traffic. To do this I'm putting in a linux box with two NICs between our incoming connection and the primary hub.
I'm aware that using non-routables would be easier and more secure but that would mean a complete overhaul of our setup and messing about with proxies.
The problem is that this means the two NICs on the firewall are on the same subnet. There appears to be some problem with routing in this setup. I've not tried to do anything fancy just set up eth0 and eth1 as normal.
Any comments? I'd really rather avoid a wholescale move to 192.168.x.x if possible.
Cheers, JB
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To really do firewalling proper, you will need different subnets. You can setup your linux box with two nics with ip addresses in the same range on both nics, enable ip forwarding and set all your workstations and servers to use that machine for their gateway (heck, you only need one nic for that) and that would handle outbound traffice. Incoming traffic is another matter. One solution, if you have control of your router is to change the route on the router and setup an invalid ip on the first nic in the linux box example internet ----- router ---------- linux box ------- lan (xxx.xxx.xxx.xxx/y) 192.168.1.1/30 192.168.1.2/30 xxx.xxx.xxx.xxx/y so if its a cisco router, you would do set ethernet interface ip to 192.168.1.1 255.255.255.252 and setup routing as follows. route ip xxx.xxx.xxx.xxx 255.255.255.0 192.168.1.2 which would send all traffic for your lan to the linux box which could then do packet filtering, logging and routing. this way, you dont need to change anything on your lan except maybe the default gateway. Of course, if you dont have a firewall now, and the gateway is the router, then you can just set the eth1 interface ip address on the linux box (the one connected to the lan) to the ip address of the router. Also, you could get by with just hooking the router and firewall up with a crossover cable and avoiding any switching issues. I have sucessfuly done this with OpenBSD but never tried doing any actual routing (other than masqing) with linux. On Mon, 16 Jul 2001, John Bland wrote:
Hi,
I'm having some bother setting up a firewall and although the problem is pure networking I just thought I'd check I'm not doing something stupid.
We have a network here with a large number of proper unique ip addresses. This is both for servers and workstations which people like to log into etc from offsite.
What I'd like to do is put in some 'seamless' firewalling, ie retain our unique ip addresses but firewall the connection to them to only allow secure connections and log the traffic. To do this I'm putting in a linux box with two NICs between our incoming connection and the primary hub.
I'm aware that using non-routables would be easier and more secure but that would mean a complete overhaul of our setup and messing about with proxies.
The problem is that this means the two NICs on the firewall are on the same subnet. There appears to be some problem with routing in this setup. I've not tried to do anything fancy just set up eth0 and eth1 as normal.
Any comments? I'd really rather avoid a wholescale move to 192.168.x.x if possible.
Cheers, JB
-- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
I'm aware that using non-routables would be easier and more secure but that would mean a complete overhaul of our setup and messing about with proxies.
The problem is that this means the two NICs on the firewall are on the same subnet. There appears to be some problem with routing in this setup. I've not tried to do anything fancy just set up eth0 and eth1 as normal.
I am getting absolutely nowhere with this. I've searched high and low for info on the routing on same subnet thing and it all boils down to arp and route kludges. With these I can get internal hosts to see the external NIC on the firewall but that's it and as soon as I turn on the firewall it all stops dead. Isn't there *any* HOWTO on doing this? Invisible firewalling like this seems, on the face of it, a neat and simple drop in to an existing network, but the routing is a nightmare. I don't have direct access to the router or control over it. Anyone out there done this for real and got it to work?! JB (getting highly frustrated) -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Hey, I wonder how much meat you get on a womble?" -- Eddie
Hi Jon, It was a huge hassle to configure this way!! I almost killed somebody. Eventually I managed to get it working with a mishmash of static host routes and ARP entries. BTW when I posted re: this problem it was dismissed as an OT routing issue. However I think this config is somewhat commonly desired for FW's and as such is worthy. ***for me, it only worked with /etc/route.conf entries and a restart of routing...Specifying the routes at the command line didn't work! I know this makes no sense. for the firewall (assuming eth0 is external and eth1 is internal) -declare the subnet on the external interface my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0 -hostroutes to each internal host with interface specified default my.routers.ip.addr int.ernal.host.ip1 0.0.0.0 255.255.255.255 eth1 int.ernal.host.ip2 0.0.0.0 255.255.255.255 eth1 -published arp entries for every internal host (in a bootscript ideally) arp -vn -i eth1 -s int.ernal.host.ip1 int:ernal:host:mac:addr:ess1 pub arp -vn -i eth1 -s int.ernal.host.ip2 int:ernal:host:mac:addr:ess2 pub for the internal machines: -only the obvious in route.conf my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0 The router seems to get the necessary arp info from the firewall, as no published arp entries were necessary. There should definitely should be a HOWTO of some sort, besides http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/ which is a decent resource. I think Marc's firewall scripts are awesome; 2.4 is has matured into a sturdy FW. But for this particular application ipf for BSD is probably less of a headache as a firewall host...saves real IP's too. HTH -gabriel
One thing I forgot: It actually doesn't work if the internal interface has a real address on the same subnet as the external firewall interface and the internal hosts!! So much for the subject heading :[ The internal interface of the firewall should have a private ip such as 10.0.0.1 ! the internal machines need a network route to the subnet in question AND a hostroute to this private ip interface. from route.conf --snip-- my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0 10.0.0.1 0.0.0.0 255.255.255.255 eth0 default 10.0.0.1 --snip-- Everything else from the previously stated firewall config applies, and works quite nicely. -g
"gabriel.rivera" wrote:
One thing I forgot:
It actually doesn't work if the internal interface has a real address on the same subnet as the external firewall interface and the internal hosts!! So much for the subject heading :[
I think it should work with real IPs on both NICs, too. Suppose your "protected" machines are connected to eth1, then, after setting up the ARPs and Routes as you described, a echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp should do. Now the firewall should do proxy arp for all machines it can reach via eth0. Greets, Soeren Eyhusen.
Isn't there *any* HOWTO on doing this? Invisible firewalling like this seems, on the face of it, a neat and simple drop in to an existing network, but the routing is a nightmare.
Ok, I've finally found a solution. It's with Lennert Buytenhek's Bridge+Firewall code (see http://bridge.sourceforge.net/ for more info) applying the bridge+firewall patches to a stock 2.2.19 kernel. All the traffic for our lab now goes through a knackered old P100 with two NICs, one to outside, one to our primary hub. The birdge currently has an ip which is great for setting it up via ssh, but once it's settled that will be disabled and it will become all but totally transparent to the network. First get the bridging to work (there's a good HOWTO for this at http://www.bnhof.de/~uwe/bridge-stp-howto/BRIDGE-STP-HOWTO/ ). Then following the instructions there about bridging+ipchains you can set up ipchains filters. It's not quite as versatile as normal firewalling but it certainly does the job for most things. There is also iptables support which is even better although it's not as tested yet and I couldn't get it to work. Here's an example ipchains script (definitely not real world but shows what's going on, the rules are a bit different for the bridging firewall as opposed to a standard one it seems to me): ----------- #!/bin/bash ipchains -F ipchains -X ipchains -Z ipchains -N br0 # create chain with same name as the bridge device # ingress rules ipchains -N Iall ipchains -A Iall -p tcp -d 138.253.x.x 80 -j ACCEPT # allow http traffic to a machine ipchains -A Iall -p tcp -d 138.253.x.0/24 22 -j ACCEPT # allow ssh in to anything on our subnet ipchains -A Iall -p tcp ! -y -j ACCEPT # allow data for established connections ipchains -A Iall -p tcp -j DENY -l # deny and log the rest # egress rules ipchains -N Oall ipchains -A Oall -p tcp -s 138.253.148.0/24 -d 0.0.0.0/0 23 -j ACCEPT # allow internal machines to telnet out ipchains -A Oall -p tcp ! -y -j ACCEPT # allow data for established connections ipchains -A Oall -p tcp -j DENY -l # deny and log the rest # main bridge chain ipchains -A br0 -i eth1 -j Iall # jump to Iall chain for incoming ipchains -A br0 -i eth0 -j Oall # jump to Oall chain for outgoing ----------- I hope this might be of use to anyone else in a similar situation. Many thanks for the replies both on and off the list, it's been highly educational. JB -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Everybody relax, I'm here." -- Jack Burton
participants (5)
-
dog@intop.net -
gabriel.rivera -
John Bland -
maf king -
Soeren Eyhusen