Date: 11 Feb 1998 22:41:35 +0100 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: Cliff Addy <fbsdlist@federation.addy.com> Cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: FreeBSD firewall questions Message-ID: <87en19vmy8.fsf@devnull.ruhr.de> In-Reply-To: Cliff Addy's message of "Wed, 11 Feb 1998 08:48:40 -0500 (EST)" References: <Pine.BSF.3.95q.980211082836.5078A-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Cliff Addy <fbsdlist@federation.addy.com> writes:
> - I think we have to change the default gateway of all our systems to the
> firewall box, is that correct? Currently, they use the router.
Yes, if you mean the internal address of the firewall/router box,
but...
> - We have 4 class C networks in our internal systems. Let's assume we
> assign 100.100.100.100 to the "inside" nic on the firewall box and
> 100.100.100.101 to the "outside" nic, while the router's ip is
> 100.100.100.1. Does this routing on the firewall box look right?
Not really. A router is usually connected to two (or more) networks.
What you're doing right now is connect it twice to the same network
100.100.100.* at least from the IP address point of view, which is not
exactly your intention.
You'll need several networks:
Network 1: Between your ISP/NSP and your router.
Network 2: Between your router and your packet filter.
Network 3-n: Your internal network(s).
Possibly you have a perimeter/DMZ network with application proxies
and/or outbound servers like FTP or WWW servers.
The important thing is that you use Network 3-n addresses within
Network 2. No good. You may consider spending a whole class C
network for that, use a NAT/RFC1918 network address (192.168.*.*) or
subnet one of your networks 3-n and use one of the subnets for the net
between router and packet filter.
The first solution is the "clean" one, but may require another
registered class C, so it's not exactly perfect. The second solution
should work fine if your router lets you use those NAT addresses. The
third is a bit tricky; I wouldn't consider it unless the other two
solutions didn't work. If you try, make sure you get the network and
broadcast addresses right.
And of course there's always the solution I missed...
> - set static network routes to the internal class C networks
> route add -net 100.100.100.0 -interface 100.100.100.100
> route add -net 100.100.101.0 -interface 100.100.100.100
> route add -net 100.100.102.0 -interface 100.100.100.100
> route add -net 100.100.103.0 -interface 100.100.100.100
You can probably simplify things if you use a specific netmask. This
may speed things up a bit. Try something like
# route add -net 100.100.100.0 -netmask 255.255.251.0 \
-interface 100.100.100.100
(not tested and I'm a bit out of practice with the syntax, so YMMV).
> - set a static route to the router's ip address
> route add 100.100.100.1 100.100.100.101
>
> or does this need to be
> route add 100.100.100.1 -interface 100.100.100.101
This is where things get messy because you're overriding the network
route(s) above with a host route. The most ugly part about it is that
internal machines can't reach the router itself anymore --- they can
send things through it, but they can't even ping it to see if it's
up. They'll always complain about a "host is down" or similar.
Sorry I can't really tell about the proper routing syntax --- it's
been about three or four years that I've last done anything serious
about this on FreeBSD (and then we used dynamic routing).
> - In order to connect the outside nic of the firewall directly to the
> router, don't we need a "special" cable, the cat-5 equivalent of a
> null-modem cable?
You can use a proper hub instead. It is also possible to build a
null-hub cable, but I don't remember which wires to cross. Sorry,
maybe some hardware fraggle knows?
Ben
--
Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends
My name and email address are not to be added to any list used for advertising
purposes. Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87en19vmy8.fsf>