Date: Thu, 1 Oct 1998 12:26:39 -0500 (CDT) From: Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx> To: "Jasper O'Malley" <jooji@webnology.com> Cc: questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C Message-ID: <Pine.BSF.3.96.981001122505.1646A-100000@servidor.exsocom.com.mx> In-Reply-To: <Pine.LNX.4.02.9810011018380.23363-100000@mercury.webnology.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok i will work and if i have any problem i will reply other e-mail.
THANKS !!
Alejandro Galindo
On Thu, 1 Oct 1998, Jasper O'Malley wrote:
> On Thu, 1 Oct 1998, Alejandro Galindo Chairez AGALINDO wrote:
>
> > ok in this case i can setup my outside network like a half class C (mask
> > 255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and
> > the inside net with the ips 208.195.117.129 - 208.195.117.254.
>
> Actually, the first subnet is 208.195.117.0 - 208.195.117.127, with .0 and
> .127 not useable. The second is 208.195.117.128 - 208.195.117.255, with
> .128 and .255 not useable.
>
> > Actually, the external router's ethernet port now is 208.195.117.2 with a
> > mask /25, i will need to change the mask here too? and if yes, why the
> > router indicate to me invalida mask /25? (the router is a CISCO 4000).
>
> A /25 mask is the same thing as 255.255.255.128; it should currently be a
> /24 (255.255.255.0). What version of the Cisco IOS are you running? Have
> you specified "ip classless" and "ip subnet zero" in your config? If not,
> that's probably why it's barking at you. Traditionally, subnet zero and
> subnet one (the first and last subnets in a classed network) were
> unusable, because the first subnet contains the network address for the
> entire network, and the last subnet contains the broadcast address for the
> entire network. This leaves no useable addresses in a class C
> split in two. Classless routing and VLSM have solved the first problem,
> and no-one ever uses the all subnets broadcast anyway :P so the second
> problem is moot. Cisco defaults to "traditional" settings, though, so you
> need to explicitly tell it you're not using classed networks ("ip
> classless"), and you'd like to use subnets zero and one ("ip subnet
> zero").
>
> > Other questions:
> >
> > I think if its posible to connect the firewall directly with the
> > Router (without a hub) with a cross cable dos it work? or is necesary to
> > use the hub?
>
> A well-constructed crossover cable will do the trick fine. You can,
> however, use a hub instead if you have any hosts you want to stick outside
> the firewall for any reason.
>
> > and how can i setup the routes in the firewall?
>
> 1) Turn on IP forwarding by setting gateway_enable="YES" in your rc.conf.
>
> 2) Modify the static_routes entry in /etc/rc.conf and add some route
> descriptions.
>
> The rc.conf manpage is a little sketchy on the details, but in general,
> you name the routes you're setting up in static_routes, and add a line for
> each route you've named as follows:
>
> static_routes="one two three"
> route_one="-net 192.168.1.0 192.168.0.1"
> route_two="-net 192.168.2.0 -netmask 255.255.255.128 192.168.0.5"
> route_three="-net 192.168.2.128 -netmask 255.255.255.128 192.168.0.25"
>
> Each route_* line is passed as an argument to a "route add" command at
> startup.
>
> Note that these are *examples* only. They have nothing to do with your
> situation. As a matter of fact, I don't think you'll need any static
> routes at all, unless you put more than one network behind the firewall.
> Just set the defaultrouter in the rc.conf to be the IP address of the
> Cisco's ethernet interface. The networks 208.195.117.0/25 and
> 208.195.117.128/25 will be directly connected. Then be sure to set the
> default gateway on the hosts behind the firewall to be the internal IP
> address of the firewall.
>
> You'll need a reboot to make the firewall start forwarding packets between
> interfaces, or you can do it by hand:
>
> sysctl -w net.inet.ip.forwarding=1
>
> The reboot will also set up your new static routes, or, again, you can do
> this by hand without a reboot, with the route add command.
>
> That's the easy stuff, though ;) The real fun is setting up natd and
> ipfirewall.
>
> Cheers,
> Mick
>
> The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com
> Systems Administrator ringring:asktheadmiral
> Webnology, LLC woowoo:http://www.webnology.com/~jooji
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981001122505.1646A-100000>