From owner-freebsd-questions Mon Nov 4 06:08:10 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA18102 for questions-outgoing; Mon, 4 Nov 1996 06:08:10 -0800 (PST) Received: from vdp01.vailsystems.com (root@vdp01.vailsystems.com [207.152.98.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA18093 for ; Mon, 4 Nov 1996 06:08:05 -0800 (PST) Received: from crocodile.vale.com (crocodile [204.117.217.147]) by vdp01.vailsystems.com (8.7.5/8.7.3) with ESMTP id IAA21861; Mon, 4 Nov 1996 08:08:02 -0600 (CST) Received: from jaguar (jaguar.vale.com [204.117.217.146]) by crocodile.vale.com (8.7.5/8.7.3) with SMTP id IAA11462; Mon, 4 Nov 1996 08:07:45 -0600 (CST) Message-ID: <327DF8C4.1F01@vailsys.com> Date: Mon, 04 Nov 1996 08:08:04 -0600 From: Hal Snyder Reply-To: hal@vailsys.com Organization: Vail Systems, Inc. X-Mailer: Mozilla 3.0 (WinNT; I) MIME-Version: 1.0 To: "Neil C. Jensen" CC: "'questions@freebsd.org'" Subject: Re: routing / firewall question References: <01BBC822.97F241A0@ppp01.habaneros.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Neil C. Jensen wrote: > I have 32 IP addresses subnetted from a class C. I presently have the > following setup: > > [ Internet ] <-------------------> Router <-------------------------> real > & virtual servers > ISDN xxx.xxx.xxx.97 ethernet xxx.xxx.xxx.98-126 > > I would like to add a firewall using TIS's fwtk (for telnet and ftp) and > perhaps the CERN HTTP proxy server (or Apache 1.2 proxy when it is > released). The network will then look like: > > ISDN ethernet ethernet > [ Internet ] <-------> Router <--------> Firewall <--------> My machines > > Where I get confused is at the Firewall. My understanding is that the two > network interfaces must be on separate subnets. How can I address the two > interfaces on the firewall and still retain the maximum number of IP > address for the rest of my machines? (I saw some mail in the archives about > using private addresses between the router and firewall, but apparently > this does not work with the proxy servers on the firewall). You get more security if you keep your .96-127 addresses on the perimeter segment (where router and firewall communicate) and assign RFC 1918 IP addresses to your internal LAN nodes. With this approach, there is no direct IP route from the Internet to your internal LAN. Turn off IP forwarding in the firewall and proxy everything between the Internet and your LAN. If you don't want that, then you can further subnet your address block. The sanest way is to split it in half, keeping one half for the router-firewall link segment and the other half for the LAN. You can salvage more addresses by giving, say, addresses .96-99 to the link segment, but you'll need to add an extra routing rule to your LAN hosts. > On a related question, just to make sure I understand this correctly; does > the CERN proxy server reside on the firewall, instead of using fwtk's > http-gw? Yes, all proxy services reside on the firewall(s) in this sort of scheme. About HTTP proxying - squid outperforms CERN by quite a bit. Squid is just a proxy server. If you want to serve your own pages, Apache is more up-to-date than CERN's server. If your pages are for internal use only, I'd run the server somewhere else than on the proxy host.