From owner-freebsd-questions Thu Oct 1 08:04:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA01949 for freebsd-questions-outgoing; Thu, 1 Oct 1998 08:04:53 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA01914; Thu, 1 Oct 1998 08:04:38 -0700 (PDT) (envelope-from agalindo@servidor.exsocom.com.mx) Received: from servidor.exsocom.com.mx (servidor.exsocom.com.mx [200.34.46.130]) by servidor.exsocom.com.mx (8.8.7/8.8.5) with SMTP id KAA29705; Thu, 1 Oct 1998 10:11:14 -0500 (CDT) Date: Thu, 1 Oct 1998 10:11:13 -0500 (CDT) From: Alejandro Galindo Chairez AGALINDO To: Kim Shrier cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C In-Reply-To: <36132D71.39FCD5A3@tinker.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 1 Oct 1998, Kim Shrier wrote: > You have a couple of ways to approach this. You could use network address > translation and have private addresses for all your machines. The "public" > machines would have static mappings to real IP addresses that are aliased > on the outside interface of the firewall. You would also use ipfw rules to > control the traffic. ok i like the idea to have static mappings to real IP addrs. that are aliased on the out interface, how can i do that? > > Another approach is to split your class C into subnets, one subnet for the > outside interface and the other for the inside interface, and then set up > ipfw rules and routes in the firewall to control the traffic. ok in this case i can setup my outside network like a half class C (mask 255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and the inside net with the ips 208.195.117.129 - 208.195.117.254. Actually, the external router's ethernet port now is 208.195.117.2 with a mask /25, i will need to change the mask here too? and if yes, why the router indicate to me invalida mask /25? (the router is a CISCO 4000). Other questions: I think if its posible to connect the firewall directly with the Router (without a hub) with a cross cable dos it work? or is necesary to use the hub? and how can i setup the routes in the firewall? > > If you want, I can help you with the rules once I know how you want to > proceed. THANKS, i will apreciate that very much Have a good day Alejandro Galindo > > Kim Shrier > kim@tinker.com > > Alejandro Galindo Chairez AGALINDO wrote: > > > > Hello! > > > > I have a network class C (conected to Internet), some hackers are > > cracking my server and i need to install a firewall. > > > > I have 2 xl NIC's (xl0 and xl1), but i dont know how will be the > > rc.firewall configuration and how i can protect all my network for outside > > attacks. > > > > In the rc.firewall i use the "simple" firewall type, but i dont > > understand how i can divide my network class C in 2 networks (with a mask > > 255.255.255.128 sample). > > > > I need to have real internet ip's in the 2 NIC's becouse i want to > > protect my WWW and e-mail servers. > > > > Here is a sample of what i have and what i need: > > > > INTERNET > > | > > | > > My router (208.195.117.2) > > | > > | > > ----------------------- (network class C 208.195.117.*) > > | | | > > | | | > > WWW server email server and PCs > > 208.195.117.11 208...12 208...13 (sample) > > > > I need to protect all my network and i think the solution can be: > > > > INTERNET > > | > > | > > ROUTER (208.195.117.2) > > | > > | maybe mask 255.255.255.128 > > FIREWALL (208.195.117.14) xl0 (first NIC) > > | > > | 208.195.117.129 xl1 (second NIC) of the firewall > > ------------------------ > > | | | maybe mask 255.255.255.128 > > | | | > > WWW server email server PC's ... > > 208.195.117.130 208...131 208...132 etc > > > > Please i need help i how to plain the network and how to indicate the > > rules in the rc.firewall > > > > Iam desesperate becouse my network is attacked. > > > > Thanks in advanced > > > > Alejandro Galindo > > > > ---------------------------------------------------------------------------- > > | , , | > > | /( )` | > > | \ \___ / | | > > | /- _ `-/ ' | > > | (/\/ \ \ /\ | > > | ExSoCom Dgo. MEXICO / / | ` \ | > > | O O ) / | | > > | `-^--'`< ' | > > | (_.) _ ) / | > > | Alejandro Galindo `.___/` / | > > | Tel: (52 18) 179177 `-----' / | > > | Fax: (52 18) 185155 <----. __ / __ \ | > > | <----|====O)))==) \) /==== | > > | e-mail alejandro.galindo@exsocom.com.mx <----' `--' `.__,' \ | > > | | | | > > | http://www.exsocom.com.mx \ / /\| > > | ______( (_ / \______/ | > > | ,' ,-----' | | > > | a FreeBSD ISP `--{__________) | > > ---------------------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message