On Fri, 03 Mar 2000, Paul Zimdars wrote:
So I cannot just setup two interfaces with real ip numbers and have internal machines behind the second interface using real ip numbers? I want the linux box to be a firewall using ipchains on an existing network.
Yes you can, but you do have to be able to define the machines on each side via the card's address and netmask. It *is* possible to assign TWO addresses (and masks) to an NIC, which gets you some more flexibility. However I don't know how to do this. Even with that, if address 1.2.3.4 is on one side of this firewall, and address 1.2.3.5 is on the other side, you really don't stand a chance. And you only get one default router. The other part is configuring ipchains. There are three major chains. The input chain - for packets coming into the machine. It doesn't matter if the packet is intended for the machine, or if they merely need to pass through it. A packet that isn't accepted by the input chain, dies. The output chain - for outgoing packets, whether they originated with this machine or are just passing through. The forward chain - applies to packets that come in via one NIC and need to go out another. If the packet doesn't pass forwarding rules, it dies. Forwarding rules, if they like a packet, can either accept it or masquerade it. There is one freebie: if a packet going through in one direction is masqueraded, then a reply packet - from the first packet's destination address and port, to the masquerade address and port - is automatically forwarded to the real origin *without* having to pass forwarding rules. (It still has to pass input and output rules.) I don't believe you get this service if the packet is simply accepted. In sum, for what you want to do, every packet has to pass three sets of rules (unless their source or destination is the firewall, in which case they only need to pass one set). -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/