Hi, I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me. # A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" # It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet? 4.0.0.0/8 or 4.4.4.4/12 how does this work? Say I want 192.168.1.1 or 212.229.151.151, how would I work out the subnet's to those? It's baffling me. Regards, Lee Smallbone lee@kechara.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Lee Smallbone wrote:
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
4.0.0.0/8 or
The '8' in the above tells us that the first 8 bits of that dotted quad number form the network address, which in this case is just the 4 (each portion of the dotted quad number is 8 bits long). A mask of 16 would signify that the first two parts (half) represent the network.
4.4.4.4/12 how does this work?
This is where things get more complicated and you have to start writing out these numbers in binary form. This '12' says that the network mask here consists of the first quarter of the dotted quad (8 bits) plus the first 'half' of the second part of the dotted quad (4 bits). So all the IPs that had the first 12 bits of their IP the same would be seen as being in the same network.
Say I want 192.168.1.1 or 212.229.151.151, how would I work out the subnet's to those? It's baffling me.
Well, the first one's easy, since that is a standard class B private subnet (although it's frequently used with a class C subnet mask of 24). The network for the second one just depends (as do most addresses) on what the subnet mask is (this 212... address is actually a class C network, so will originally have had a subnet mask of 255.255.255.0, or 24 if we stick to the format that we're using here). Often ISPs may have been assigned a class B address range (mask 16), but internally they would split this up into many smaller subnets with different masks. For example, my (fixed) IP addess is officially a class B address (netmask 16), however, internally this has been split up into smaller subnets, so my actual netmask is 255.255.255.240, which is 11111111.11111111.11111111.11110000 in binary, or 28 in your format. This means that only computers with the first 28 bits of their IP addresses the same as mine are counted as being on my subnet. If this 212... address is one that you've been assigned, then you can run 'ifconfig' and it should tell you what the mask is currently set at, which will at most be 255.255.255.0 (due to it being a class C network), but possibly less. I hope you managed to follow that - it's a bit long winded... In short, given an IP address, it isn't always easy to tell which subnet it belongs to - in fact it's impossible to be certain. Hope that helps though, Chris -- Apologies to everyone who has been waiting for replies off me over the past few weeks - I've been away from my computer. I'll try to catch up with my email over the coming days, but don't be surprised if you get a reply in a month's time... __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Hello Chris, Thanks for the info. I now understand it a little better than I did... The 4.0.0.0/4 I get, (I can see the logic in that) but the rest.. well. I will do as you say and run ifconfig to find out what my static IP netmask is. Assuming it is 255.255.255.0, it would simply become static.ip/24, I picked that up correctly yes? Thanks again. Lee. Wednesday, April 12, 2000, 11:35:03 PM, you wrote: CR> Lee Smallbone wrote:
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
4.0.0.0/8 or
CR> The '8' in the above tells us that the first 8 bits of that dotted quad number CR> form the network address, which in this case is just the 4 (each portion of the CR> dotted quad number is 8 bits long). A mask of 16 would signify that the first CR> two parts (half) represent the network. <snip> Regards, Lee Smallbone lee@kechara.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Lee Smallbone wrote:
Thanks for the info. I now understand it a little better than I did... The 4.0.0.0/4 I get, (I can see the logic in that) but the rest.. well. I will do as you say and run ifconfig to find out what my static IP netmask is. Assuming it is 255.255.255.0, it would simply become static.ip/24, I picked that up correctly yes?
That's correct.
Wednesday, April 12, 2000, 11:35:03 PM, you wrote:
CR> Lee Smallbone wrote:
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
4.0.0.0/8 or
CR> The '8' in the above tells us that the first 8 bits of that dotted quad number CR> form the network address, which in this case is just the 4 (each portion of the CR> dotted quad number is 8 bits long). A mask of 16 would signify that the first CR> two parts (half) represent the network.
Glad I could help, Chris -- Apologies to everyone who has been waiting for replies off me over the past few weeks - I've been away from my computer. I'll try to catch up with my email over the coming days, but don't be surprised if you get a reply in a month's time... __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Wed, 12 Apr 2000, Lee Smallbone wrote:
Hi,
I'm trying to get my head round setting up SuSE Firewall. One portion of it confuses me.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,192.168.1.6,8000", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" #
It is the 1) Source IP/net that is confusing me, something which I have never quite understood. How do you work out the subnet?
An IP address is 32 bits. It's usually expressed as four decimal numbers each from 0 to 255 (expressing 8 bits), dot delimited, but that's for human use. Within any logical subnet, all machines have some number of bits, on the left end of the address, in common. For example, on my home network all machine addresses start with 192.168.1. By convention - for human readability, it really doesn't matter - when you are referring to the subnet, the bits that CAN vary from machine to machine are zeroed. That would make my subnet 192.168.1.0. However, we aren't quite there yet. We also have to tell the IP stack how many bits are part of the subnet address. There are two ways to do this: * The old way: create another 32-bit string - called the subnet mask - where all the significant bits are 1 and all the non-significant bits are 0. This is where we get subnets like 192.168.1.0/255.255.255.0 This standard would actually be sensible, if the definition of a subnet didn't require that all the 1 bits in the subnet mask be on the left and all the zero bits on the right, i.e. it can't have a zero bit followed by a 1 bit. * The new way: just state the number of significant bits. The same sample is 192.168.1.0/24 which means that the leftmost 24 bits of the address are the subnet and the remaining 8 bits are the host specifier. If you do NOT specify what bits are significant, the usual assumption is that all of them are: you are referring to a host, not a subnet. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Quoting Warrl
An IP address is 32 bits. It's usually expressed as four decimal numbers each from 0 to 255 (expressing 8 bits), dot delimited, but that's for human use. Within any logical subnet, all machines have some number of bits, on the left end of the address, in common. For example, on my home network all machine addresses start with 192.168.1.
This is not correct, the subnet mask does not have to have all the 1's on the left. Admittedly almost all do, and some implementations require it, but the standards do not. Picker of Nits, Jeffrey -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 10:43 PM 04/13/00 -0500, Jeffrey Taylor wrote:
This is not correct, the subnet mask does not have to have all the 1's on the left. Admittedly almost all do, and some implementations require it, but the standards do not.
I was wondering about that, as I'm looking into a DLS setup that offers five static IP numbers. So I imagine it's five numbers out of a subnet. I'm unclear how to configure such a thing. I assume I can't use the 192.168.x.x/24 notation, and have to have a specific net mask instead. Anyone know how that "Five IP DSL" connection would look and be configured? Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
You would end up with aaa.bbb.ccc.ddd/29 (or a netmask of 255.255.255.248) - This is 8 IP address, where one is the network identifier, one is the broadcast, one goes to the ISP's router, and you are left with five useable addresses. - Herman On Fri, 14 Apr 2000, Bill Moseley wrote: ->>At 10:43 PM 04/13/00 -0500, Jeffrey Taylor wrote: ->>>This is not correct, the subnet mask does not have to have all the 1's ->>>on the left. Admittedly almost all do, and some implementations ->>>require it, but the standards do not. ->> ->>I was wondering about that, as I'm looking into a DLS setup that offers ->>five static IP numbers. So I imagine it's five numbers out of a subnet. ->>I'm unclear how to configure such a thing. I assume I can't use the ->>192.168.x.x/24 notation, and have to have a specific net mask instead. ->> ->>Anyone know how that "Five IP DSL" connection would look and be configured? ->> ->> ->> ->>Bill Moseley ->>mailto:moseley@hank.org ->> ->>-- ->>To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com ->>For additional commands send e-mail to suse-linux-e-help@suse.com ->>Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/ ->> -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Fri, 14 Apr 2000, Bill Moseley wrote:
At 10:43 PM 04/13/00 -0500, Jeffrey Taylor wrote:
This is not correct, the subnet mask does not have to have all the 1's on the left. Admittedly almost all do, and some implementations require it, but the standards do not.
I was wondering about that, as I'm looking into a DLS setup that offers five static IP numbers. So I imagine it's five numbers out of a subnet. I'm unclear how to configure such a thing. I assume I can't use the 192.168.x.x/24 notation, and have to have a specific net mask instead.
Anyone know how that "Five IP DSL" connection would look and be configured?
You have five available addresses on your side of the DSL device. The DSL device itself has an address on your side. (It probably has another, different address on the other side. It's a router. Each port on a router has its own address.) The lowest and highest addresses in a subnet are reserved (the highest address is the broadcast address; the lowest address is for a technically different but functionally similar use that escapes me at the moment.) That's a total of eight addresses occupied by your subnet. Your subnet mask is /29 (new style) or 255.255.255.248 -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Fri, 14 Apr 2000, Warrl wrote:
On Fri, 14 Apr 2000, Bill Moseley wrote:
At 10:43 PM 04/13/00 -0500, Jeffrey Taylor wrote:
This is not correct, the subnet mask does not have to have all the 1's on the left. Admittedly almost all do, and some implementations require it, but the standards do not.
I was wondering about that, as I'm looking into a DLS setup that offers five static IP numbers. So I imagine it's five numbers out of a subnet. I'm unclear how to configure such a thing. I assume I can't use the 192.168.x.x/24 notation, and have to have a specific net mask instead.
Anyone know how that "Five IP DSL" connection would look and be configured?
You have five available addresses on your side of the DSL device.
The DSL device itself has an address on your side. (It probably has another, different address on the other side. It's a router. Each port on a router has its own address.)
Not here in the Calif usually. Every setup I have seen so far has been bridged. The gateway IP is at the other end of the DSL connection and there are no IPs in the DSL customer device. Every ISP I have called that works with Pacbell or GTE has been bridging for small networks. Greg -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Yep, I have DSL in St. Louis from Southwestern Bell w/ 5 static ips...and it is bridged as well. If you want routed DSL try exodus.net which I hear is very good. just my 0.02
Not here in the Calif usually. Every setup I have seen so far has been bridged. The gateway IP is at the other end of the DSL connection and there are no IPs in the DSL customer device. Every ISP I have called that works with Pacbell or GTE has been bridging for small networks.
-- Ben Rosenberg mailto:ben@whack.org ICQ UIN:49268667 -------------------------- " Success is how high you bounce when you hit bottom " -Gen. George Patton -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 12:39 PM 04/15/00 -0500, Ben Rosenberg wrote:
Yep, I have DSL in St. Louis from Southwestern Bell w/ 5 static ips...and it is bridged as well. If you want routed DSL try exodus.net which I hear is very good.
Ok, I asked the original 5 IP question. But I haven't groked it completely yet, sorry. I'm not clear on what you mean by bridge. Let me explain my current home network and maybe some kind person could show me how things would changes under a 5 static IP DSL setup: I have three machines right now (I'll sell the extra two IP numbers to my neighbors... ;) Currently: 192.168.0.1: has modem that dials up my ISP. Also running a primary master DNS server (Nothing delegates to that DNS of course, although I have it pretend like it's the master for my domain). This machine is running dial on demand. 192.168.0.98 & .99 - one SuSE the other Win98. Both have the default gateway set as the .1 box. The SuSE box is running a slave DNS (off the .1 box), and the Win98 box has both the .1 and .99 box as its DNS servers. So, do I connect the DSL 'modem' onto my network (just as if I was adding another computer to the LAN), and then that machine becomes my new gateway, as I think Greg described it? (But then I wonder about a firewall setup.) What would people recommend about DNS? Should I run my own primary DNS, or should I pay the ISP (PacBell in my case here in California) to handle the DNS. Seems like I should do it, but that it would be a bad idea to also handle the secondary DNS on the same set of five IP numbers as I'd be out of luck if my DNS connection went down. Probably better to try to find a friendly person that would act as a secondary DNS (and also secondary for mail). Then I wonder if I could get Pacbell to delegate reverse DNS to my machine, too. Aren't there some servers that will block me if my reverse DNS doesn't match my DNS? About that firewall: I've had some people recommend using a separate firewall product (something like a SonicWall unit). I thought I could just setup one of my machines as the firewall using ipchains, but I'm confused how that would work with this 5 IP DSL setup. I'm really not that clear how all the parts fit together. Thanks again, Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Bill Moseley wrote:
At 12:39 PM 04/15/00 -0500, Ben Rosenberg wrote:
Yep, I have DSL in St. Louis from Southwestern Bell w/ 5 static ips...and it is bridged as well. If you want routed DSL try exodus.net which I hear is very good.
Ok, I asked the original 5 IP question. But I haven't groked it completely yet, sorry.
I'm not clear on what you mean by bridge. Let me explain my current home network and maybe some kind person could show me how things would changes under a 5 static IP DSL setup:
A bridge is similar to a router, but has two major differences: 1. A bridge forwards by looking at MAC addresses, a router forwards by IPs. 2. A bridge forwards broadcast packets, while a router does not.
I have three machines right now (I'll sell the extra two IP numbers to my neighbors... ;)
Currently:
192.168.0.1: has modem that dials up my ISP. Also running a primary master DNS server (Nothing delegates to that DNS of course, although I have it pretend like it's the master for my domain). This machine is running dial on demand.
192.168.0.98 & .99 - one SuSE the other Win98. Both have the default gateway set as the .1 box. The SuSE box is running a slave DNS (off the .1 box), and the Win98 box has both the .1 and .99 box as its DNS servers.
So, do I connect the DSL 'modem' onto my network (just as if I was adding another computer to the LAN), and then that machine becomes my new gateway, as I think Greg described it? (But then I wonder about a firewall setup.)
It is possible to connect a router directly onto your hub, but this is *not* advisable, from a security point of view. The best and easiest way is to install a second network card in one of the servers (or in another old machine), and connect the router/bridge to that. The machine with two network cards would then be the firewall machine. Finally, you just need to do some juggling with the routing tables and ipchains to get it all working.
What would people recommend about DNS? Should I run my own primary DNS, or should I pay the ISP (PacBell in my case here in California) to handle the DNS. Seems like I should do it, but that it would be a bad idea to also handle the secondary DNS on the same set of five IP numbers as I'd be out of luck if my DNS connection went down. Probably better to try to find a friendly person that would act as a secondary DNS (and also secondary for mail).
I can't really suggest anything about you DNS situation, but if you do your own DNS, it is a *very* good idea to have a friend do your secondary.
Then I wonder if I could get Pacbell to delegate reverse DNS to my machine, too. Aren't there some servers that will block me if my reverse DNS doesn't match my DNS?
About that firewall: I've had some people recommend using a separate firewall product (something like a SonicWall unit). I thought I could just setup one of my machines as the firewall using ipchains, but I'm confused how that would work with this 5 IP DSL setup. I'm really not that clear how all the parts fit together.
I myself would use ipchains - I don't see any reason to cough up for commercial software here... but I don't understand what you mean when you say you're confused as to how that would work wiwth 5 IPs. Basically, you've got a subnet consisting of 5 IPs, so you can make use of subnet masks (in your case 29) within your ipchains rules. Need any more help? Just ask. Chris -- Apologies to everyone who has been waiting for replies off me over the past few weeks - I've been away from my computer. I'll try to catch up with my email over the coming days, but don't be surprised if you get a reply in a month's time... __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 09:56 AM 04/16/00 +0100, Chris Reeves wrote:
but I don't understand what you mean when you say you're confused as to how that would work wiwth 5 IPs. Basically, you've got a subnet consisting of 5 IPs, so you can make use of subnet masks (in your case 29) within your ipchains rules.
Well, I was wondering how I would use ipchains if the DSL was connected directly to my hub. But as you point out, that doesn't make much sense. It's better to set up the DSL like my modem setup -- as a second NIC on one machine where I can run ipchanins. Then that machine (the one running ipchains) is still my gateway/default route for my LAN. Then I just need to set a default route for that machine (which I guess pppd does for me automatically now).
Need any more help? Just ask.
Oh, I sure that I'll be back ;) Thanks for your help, Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Sat, 15 Apr 2000, Bill Moseley wrote:
At 12:39 PM 04/15/00 -0500, Ben Rosenberg wrote:
Yep, I have DSL in St. Louis from Southwestern Bell w/ 5 static ips...and it is bridged as well. If you want routed DSL try exodus.net which I hear is very good.
Ok, I asked the original 5 IP question. But I haven't groked it completely yet, sorry.
I'm not clear on what you mean by bridge. Let me explain my current home network and maybe some kind person could show me how things would changes under a 5 static IP DSL setup:
I have three machines right now (I'll sell the extra two IP numbers to my neighbors... ;)
That would probably be a crime (enacted to protect the free market by forbidding competition, believe it or not), and almost certainly be a breach of contract for residential service.
192.168.0.1: has modem that dials up my ISP. Also running a primary master DNS server (Nothing delegates to that DNS of course, although I have it pretend like it's the master for my domain). This machine is running dial on demand.
192.168.0.98 & .99 - one SuSE the other Win98. Both have the default gateway set as the .1 box. The SuSE box is running a slave DNS (off the .1 box), and the Win98 box has both the .1 and .99 box as its DNS servers.
You have two options here: (1) Connect the DSL interface into your existing network and change the IP addresses of all your existing machines to be in the list of five you get from the ISP. Recognise that every one of your machines is then totally exposed to the internet and all the nice friendly hackers out there who will be pleased that you so generously share your processor power, your disk space, your email accounts, and all the private stuff you have on your hard drives. (2) Construct a firewall with two network cards. One network card will use an address given to you via your ISP. The other card will have an address in 192.168.0.X and be connected to your existing network. The firewall itself should be running a bare minimum of services that are accessible from the internet. With the current firewalling software, you have to set up each individual service (perhaps using tcp wrappers) to exclude non-local addresses; with the next version, supposed to be in the 2.4 kernel, you can set up the firewall software itself so that the firewall computer appears not to exist from the non-local side (but still passes things through). With this approach, you will be using ONE of your five addresses. If you ever decide you want to make a service public, you have three approaches available: (a) run the service on your firewall and make sure that it's externally visible; (b) use IP port forwarding in the firewall to connect the *local* address and service to the *public* address and service; (c) use another one of your five addresses for a separate server. B is the most secure, C is the most suitable for high volume. As for buying a separate firewall, basically you are paying someone else for the configuration work. You have to decide for yourself whether you want to do that or not. Commercial firewalls for residential use are mostly horribly overpriced - a used Pentium-90 is plenty of computer, and I can buy one of those for about $100; a version of Linux specifically tuned to install as a firewall is also less than $100; and network cards are under $25 each, so why does a home user need a $500 firewall?
So, do I connect the DSL 'modem' onto my network (just as if I was adding another computer to the LAN), and then that machine becomes my new gateway, as I think Greg described it? (But then I wonder about a firewall setup.)
What would people recommend about DNS? Should I run my own primary DNS, or should I pay the ISP (PacBell in my case here in California) to handle the DNS. Seems like I should do it, but that it would be a bad idea to also handle the secondary DNS on the same set of five IP numbers as I'd be out of luck if my DNS connection went down. Probably better to try to find a friendly person that would act as a secondary DNS (and also secondary for mail).
I seriously doubt that it makes sense to pay for publically-accessible DNS service if you don't have any publically-accessible servers. Your existing DNS setup sounds fine to me. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
At 09:58 PM 04/16/00 -0700, Warrl wrote:
(2) Construct a firewall with two network cards. One network card will use an address given to you via your ISP. The other card will have an address in 192.168.0.X and be connected to your existing network.
That probably makes the most sense, although it means that I couldn't run a server on an internal machine. Seems like I could still setup the firewall on the machine that has two NICs, and still use real IP numbers (since I would have them anyway.) That would be more educational as I'd probably learn more quickly about ipchains -- and I might learn more about the importance of backing up ;-)
If you ever decide you want to make a service public, you have three approaches available: ... (c) use another one of your five addresses for a separate server.
Is that what is called a "DMZ"?
What would people recommend about DNS? Should I run my own primary DNS, or should I pay the ISP (PacBell in my case here in California) to handle the DNS.
I seriously doubt that it makes sense to pay for publically-accessible DNS service if you don't have any publically-accessible servers. Your existing DNS setup sounds fine to me.
Control is the issue, of course, plus the fun of learning. I would run a web server, and provide ssh access for when I'm not at home. I'd also like to deal with my own mail. Why pay an ISP to do all that for $30 USD a month when I can do it myself for $80 a month? ;) Thanks for your comments! I appreciate all the help. Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Bill Moseley wrote:
At 09:58 PM 04/16/00 -0700, Warrl wrote:
(2) Construct a firewall with two network cards. One network card will use an address given to you via your ISP. The other card will have an address in 192.168.0.X and be connected to your existing network.
That probably makes the most sense, although it means that I couldn't run a server on an internal machine. Seems like I could still setup the firewall on the machine that has two NICs, and still use real IP numbers (since I would have them anyway.) That would be more educational as I'd probably learn more quickly about ipchains -- and I might learn more about the importance of backing up ;-)
If you ever decide you want to make a service public, you have three approaches available: ... (c) use another one of your five addresses for a separate server.
Is that what is called a "DMZ"?
Yes, that would be a DMZ, I suppose. A very small one, of course ;-)
What would people recommend about DNS? Should I run my own primary DNS, or should I pay the ISP (PacBell in my case here in California) to handle the DNS.
I seriously doubt that it makes sense to pay for publically-accessible DNS service if you don't have any publically-accessible servers. Your existing DNS setup sounds fine to me.
Control is the issue, of course, plus the fun of learning.
I would run a web server, and provide ssh access for when I'm not at home. I'd also like to deal with my own mail. Why pay an ISP to do all that for $30 USD a month when I can do it myself for $80 a month? ;)
My philosophy exactly! :-> I often do things the more difficult way, just for the hell of it, and to find out how it should be done. Have fun, Chris -- Apologies to everyone who has been waiting for replies off me over the past few weeks - I've been away from my computer. I'll try to catch up with my email over the coming days, but don't be surprised if you get a reply in a month's time... __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\ -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Sat, 15 Apr 2000, Greg Thomas wrote:
On Fri, 14 Apr 2000, Warrl wrote:
On Fri, 14 Apr 2000, Bill Moseley wrote:
At 10:43 PM 04/13/00 -0500, Jeffrey Taylor wrote:
This is not correct, the subnet mask does not have to have all the 1's on the left. Admittedly almost all do, and some implementations require it, but the standards do not.
I was wondering about that, as I'm looking into a DLS setup that offers five static IP numbers. So I imagine it's five numbers out of a subnet. I'm unclear how to configure such a thing. I assume I can't use the 192.168.x.x/24 notation, and have to have a specific net mask instead.
Anyone know how that "Five IP DSL" connection would look and be configured?
You have five available addresses on your side of the DSL device.
The DSL device itself has an address on your side. (It probably has another, different address on the other side. It's a router. Each port on a router has its own address.)
Not here in the Calif usually. Every setup I have seen so far has been bridged. The gateway IP is at the other end of the DSL connection and there are no IPs in the DSL customer device. Every ISP I have called that works with Pacbell or GTE has been bridging for small networks.
Ok, in that case, the connection server at your ISP is consuming an address in your subnet. Same effect, different location, and I don't think it's possible for your DSL device to do any masquerading or firewalling - which means that every workstation and server hooked to the same subnet is sacrificial. Do yourself a favor and build yourself a firewall before some hacker points out - in a very personal manner - why this would be a good idea. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (8)
-
ben@whack.org
-
chris.reeves@iname.com
-
ethant@earthlink.net
-
herman@knief.net
-
lee@kechara.org
-
moseley@hank.org
-
muskrat@texas.net
-
warrl@blarg.net