Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Firewall confusion
  • From: <dog@xxxxxxxxx>
  • Date: Mon, 16 Jul 2001 09:38:04 -0500 (CDT)
  • Message-id: <Pine.LNX.4.31.0107160929200.26163-100000@xxxxxxxxxxxxx>
To really do firewalling proper, you will need different subnets. You can
setup your linux box with two nics with ip addresses in the same range on
both nics, enable ip forwarding and set all your workstations and servers
to use that machine for their gateway (heck, you only need one nic for
that) and that would handle outbound traffice. Incoming traffic is
another matter. One solution, if you have control of your router is to
change the route on the router and setup an invalid ip on the first nic in
the linux box

example
internet ----- router ---------- linux box ------- lan (xxx.xxx.xxx.xxx/y)
192.168.1.1/30 192.168.1.2/30 xxx.xxx.xxx.xxx/y

so if its a cisco router, you would do
set ethernet interface ip to 192.168.1.1 255.255.255.252 and setup
routing as follows.
route ip xxx.xxx.xxx.xxx 255.255.255.0 192.168.1.2 which would send all
traffic for your lan to the linux box which could then do packet
filtering, logging and routing.

this way, you dont need to change anything on your lan except maybe the
default gateway. Of course, if you dont have a firewall now, and the
gateway is the router, then you can just set the eth1 interface ip address
on the linux box (the one connected to the lan) to the ip address of the
router. Also, you could get by with just hooking the router and firewall
up with a crossover cable and avoiding any switching issues.

I have sucessfuly done this with OpenBSD but never tried doing any actual
routing (other than masqing) with linux.


On Mon, 16 Jul 2001, John Bland wrote:

>
>Hi,
>
>I'm having some bother setting up a firewall and although the problem is
>pure networking I just thought I'd check I'm not doing something stupid.
>
>We have a network here with a large number of proper unique ip addresses.
>This is both for servers and workstations which people like to log into
>etc from offsite.
>
>What I'd like to do is put in some 'seamless' firewalling, ie retain our
>unique ip addresses but firewall the connection to them to only allow
>secure connections and log the traffic. To do this I'm putting in a linux
>box with two NICs between our incoming connection and the primary hub.
>
>I'm aware that using non-routables would be easier and more secure but
>that would mean a complete overhaul of our setup and messing about with
>proxies.
>
>The problem is that this means the two NICs on the firewall are on the
>same subnet. There appears to be some problem with routing in this setup.
>I've not tried to do anything fancy just set up eth0 and eth1 as normal.
>
>Any comments? I'd really rather avoid a wholescale move to 192.168.x.x if
>possible.
>
>Cheers,
> JB
>
>--
>John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin
>Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group
>http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University
> "Hey, I wonder how much meat you get on a womble?" -- Eddie
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>

Chad Whitten
Network/Systems Administrator
Nexband Communications
chadwick@xxxxxxxxxxx


< Previous Next >
References