S.O.S -- Firewall Setup Plan
Nigel Morse
N.Morse@hyperknowledge.com
Wed, 25 Jul 2001 08:50:43 +0100
The problem is that subnetting gets tricky if your not just spliting in half
, and you lose some address when you do that.
The best option is to use internal (192.168.1.x) addresses and have the
firewall do simple SNAT for you. Any machines that then need to be exposed
(eg web servers and mail) you can add more NAT rules and IP aliases. This
means that only boxes you want are exposed and all the others look like the
connections come from the firewall.
Another option (which I'm going to try) is 1-1 NAT, i.e. have the firewall
NAT 1.2.3.x to 192.168.1.x where x is the host number in both prerouting
and postrouting (you can use the NETMAP patch for this). Also you need to
have the firewall respond to ARP requests for the internal boxes by adding
aliases to the right network interface. To the outside you then appear to
have a normal network on normal address. This is slightly more insecure, as
all the boxes are "exposed" but if the firewall design is good then it
shouldn't be too bad.
-----Original Message-----
From: lee [mailto:lee@thewebbullet.com]
Sent: 24 July 2001 21:36
To: netfilter@lists.samba.org
Subject: S.O.S -- Firewall Setup Plan
I need to build a firewall as soon as posible. But, I've got a big
problem...
In my company, we have 32 IP addresses (actually is only 29) in network
and one cisco router to pass through our internet traffic.
I plan to put a unix system's firewall in my local network to protect my
several servers. But I don't know how to configuire my network. Should i
need to make subnet for my IP addresses or i can use same IP range IP
address for both devices on my firewall....
The skeme is below:
------------- ------------- ----------------------
| Router | ------ | Firewall | -------| Local Network|
------------- -------------- ----------------------
From:
Lee