S.O.S -- Firewall Setup Plan

lee lee@thewebbullet.com
Wed, 25 Jul 2001 15:09:51 -0400 

Thanks for your suggestion. But, because I have 32 real ip addresses and 15
workstations, 4 servers (web, mail, DNS) in my local network.
I wondered how i can build a firewall in front of my network with all 'real'
ip addresses? The reason is that i host 50 around web sites with 20 ip
addresses and i don't want to change any address for them...
----- Original Message -----
From: Nigel Morse <N.Morse@hyperknowledge.com>
To: 'lee' <lee@thewebbullet.com>; <netfilter@lists.samba.org>
Sent: Wednesday, July 25, 2001 3:50 AM
Subject: RE: S.O.S -- Firewall Setup Plan


> The problem is that subnetting gets tricky if your not just spliting in
half
> , and you lose some address when you do that.
>
> The best option is to use internal (192.168.1.x) addresses and have the
> firewall do simple SNAT for you. Any machines that then need to be exposed
> (eg web servers and mail) you can add more NAT rules and IP aliases. This
> means that only boxes you want are exposed and all the others look like
the
> connections come from the firewall.
>
> Another option (which I'm going to try) is 1-1 NAT, i.e. have the firewall
> NAT  1.2.3.x to 192.168.1.x where x is the host number in both prerouting
> and postrouting (you can use the NETMAP patch for this).  Also you need to
> have the firewall respond to ARP requests for the internal boxes by adding
> aliases to the right network interface.  To the outside you then appear to
> have a normal network on normal address. This is slightly more insecure,
as
> all the boxes are "exposed" but if the firewall design is good then it
> shouldn't be too bad.
>
>
> -----Original Message-----
> From: lee [mailto:lee@thewebbullet.com]
> Sent: 24 July 2001 21:36
> To: netfilter@lists.samba.org
> Subject: S.O.S -- Firewall Setup Plan
>
>
> I need to build a firewall as soon as posible. But, I've got a big
> problem...
>    In my company, we have 32 IP addresses (actually is only 29) in network
> and one cisco router to pass through our internet traffic.
>    I plan to put a unix system's firewall in my local network to protect
my
> several servers. But I don't know how to configuire my network. Should i
> need to make subnet for my IP addresses or i can use same IP range IP
> address for both devices on my firewall....
> The skeme is below:
> -------------        -------------         ----------------------
> | Router | ------ | Firewall | -------| Local Network|
> -------------        --------------         ----------------------
>
From:
> Lee