Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
firewall NICs on same subnet WAS: Firewall confusion
  • From: "gabriel.rivera" <defunct@xxxxxxxxxxxxxxx>
  • Date: Tue, 17 Jul 2001 23:22:41 -0700
  • Message-id: <B77A7941.16C%defunct@xxxxxxxxxxxxxxx>
Hi Jon,

It was a huge hassle to configure this way!! I almost killed somebody.
Eventually I managed to get it working with a mishmash of static host
routes and ARP entries.

BTW when I posted re: this problem it was dismissed as an OT routing issue.
However I think this config is somewhat commonly desired for FW's and as
such is worthy.

***for me, it only worked with /etc/route.conf entries and a restart of
routing...Specifying the routes at the command line didn't work! I know
this makes no sense.

for the firewall (assuming eth0 is external and eth1 is internal)

-declare the subnet on the external interface

my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0

-hostroutes to each internal host with interface specified

default my.routers.ip.addr
int.ernal.host.ip1 0.0.0.0 255.255.255.255 eth1
int.ernal.host.ip2 0.0.0.0 255.255.255.255 eth1

-published arp entries for every internal host (in a bootscript ideally)

arp -vn -i eth1 -s int.ernal.host.ip1 int:ernal:host:mac:addr:ess1 pub
arp -vn -i eth1 -s int.ernal.host.ip2 int:ernal:host:mac:addr:ess2 pub

for the internal machines:

-only the obvious in route.conf

my.subnet.add.ress 0.0.0.0 my.net.mas.k eth0

The router seems to get the necessary arp info from the firewall, as no
published arp entries were necessary. There should definitely should be a
HOWTO of some sort, besides
http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
which is a decent resource.

I think Marc's firewall scripts are awesome; 2.4 is has matured into a
sturdy FW. But for this particular application ipf for BSD is probably less
of a headache as a firewall host...saves real IP's too.

HTH
-gabriel




< Previous Next >
Follow Ups
References