Date: Thu, 6 Jun 2002 17:54:51 -0400 (EDT) From: "BSD Security" <bsdsecurity@connect1.ca> To: <michael@fastmail.ca> Cc: <security@FreeBSD.ORG> Subject: Re: Subnet Security Message-ID: <37649.216.254.135.133.1023400491.squirrel@www.connect1.ca> In-Reply-To: <3CFA5A6C.000009.72128@ns.interchange.ca> References: <3CFA5A6C.000009.72128@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
First off, The way you want to do your routing is not a good idea. Routing works by the most specific route, in this case you have two networks on two interfaces that share the same IP space by overlapping at some point. you overlap at 192.168.79.112-127. That is on xl0. Yet you are saying at the same time that the network 192.168.79.0-255 is on fxp1. This is poor networking and should not be implemented. First off, if someone tries to send trafic to 192.168.79.112, you will not get a responce because that is the network boundary address for your network on xl0. Like I said before the more specific route always takes precedence. so if you setup a machine on the fxp1 network with the IP 192.168.79.112, then you will get a resonse only from within that network because it is a local broadcast, but if you are outside that fxp1 network and you want to access the 79.112 machine that is sitting in the fxp1 interface, it won't happen. You should reconfigure your network layout before you start doing anything else. What you should do is get an idea of how many IP's you need on the secure and the non secure segment. Then make sure you subnet at the proper boundaries. I am not sure if they way you set this up will work on the freebsd machine, but if you did this in a router and you were routing these blocks this way you screw a lot of things up in terms of proper access. It is not how you do things. For your case, you may be lucky and get it to work, but they way you are doing it is not the right way to network. That is just as bad as assigning the same IP address to two machines on the same network. Michael Richards said: > I've got a firewall and need to set up a subnet so the servers on it > have a much more restrictive ruleset than the other subnet. I'm not > 100% sure how to do it but here is the info. > > firewall: > outside > fxp0 -> 192.168.72.31 netmask 0xffffffc0 gw 192.168.72.1 > fxp1 -> 192.168.79.1 netmask 0xffffff00 > xl0 -> 192.168.79.120 netmask 0xfffffff0 > > secure webserver: > fxp0 -> 192.168.79.112 netmask ??? gw ??? > We own a /24 block of IPs represented here as 192.168.79/24. For > historical reasons the secure subnet I'm trying to set up here is > stuck in the middle of the range. > > The machines are all plugged into the same switch as well as the > firewall's fxp1 and xl0. xl0 is to be the secure one and it's set up > as a vlan. The ports for the secure servers will be tagged as the same > vlan as xl0 is plugged into. > > Here is what I'm wondering: > a) Is this scheme possible with the netmasks I've defined? It would > seem that 192.168.79.1 overlaps 192.168.79.120 in terms of netmasks. > Does FreeBSD simply use the interface with the most restrictive > netmask? > b) what netmask and gw should I be using for the secure webserver? c) > will routing figure this out automagically or would it need to be > statically defined? If so how? > > thanks > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Secure Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37649.216.254.135.133.1023400491.squirrel>