From owner-freebsd-isp Thu May 30 8:46:15 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mail.ecotech.com.lr (mail.liberiaonline.com.lr [64.110.100.164]) by hub.freebsd.org (Postfix) with SMTP id 4913C37B411 for ; Thu, 30 May 2002 08:45:32 -0700 (PDT) Received: (qmail 7670 invoked by uid 85); 30 May 2002 15:44:15 -0000 Received: from 216.252.230.149 ( [216.252.230.149]) as user max@ecotech.com.lr@localhost by mail.ecotech.com.lr with HTTP; Thu, 30 May 2002 15:44:14 +0000 Message-ID: <1022773454.3cf648ce0fa88@mail.ecotech.com.lr> Date: Thu, 30 May 2002 15:44:14 +0000 From: max@ecotech.com.lr To: Chris Knipe Cc: freebsd-isp@freebsd.org Subject: Re: Firewall Setup References: <005201c20714$220071b0$04ef10ac@wireless> <009201c20736$1b604e80$0101a8c0@megalan.co.za> <001201c2074f$c3076dd0$04ef10ac@wireless> <008401c20762$e40ad5e0$0101a8c0@megalan.co.za> In-Reply-To: <008401c20762$e40ad5e0$0101a8c0@megalan.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 216.252.230.149 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think this is what I am looking for. As soon as I get near those routers, I will be implementing those changes. Thanks Chris Max Quoting Chris Knipe : > > ----- Original Message ----- > > From: "Chris Knipe" > > To: "Max" ; > > Sent: Wednesday, May 29, 2002 5:25 PM > > Subject: Re: Firewall Setup > > > > > > > > My network has other routers hardware and software. I want just few > > > machines > > > > to use this new router instead of the whole network so that even if a > > > client > > > > sets this > > > > router has his default gateway, he will not be able to access the > > > Internet! > > > > > > Isn't this more of a static-routing option rather than a firewall? A > > > firewall will block the packets, meaning that the clients which use the > > > "wrong" router, will have *no* internet access, rather than be directed > > > towards the right router. > > > > > > You can most probably redirect the packets from one firewall to another, > > but > > > that's limited to a per port basis. I think the simplest solution would > > > just be to re-route certain data from the "wrong" router, to the "right" > > > router > > > > > > route add if I'm not mistaken. > > > > > > So, if you have 10.0.0.0/255.0.0.0 and want 10.0.1.0/24 to be assigned > to > > > router 1, on your 2, you'll add a static route for that network, routing > > it > > > back to router 1. > > > > > In my terms, here's what I am looking @ > > I have 172.16.239.0/24 and I would like only 172.16.239.104/29 to access > > this router > > > > In your terms, what would that look like? > > > I'm going to presume that Router 1 is on 172.16.239.1 and Router 2 on > 172.16.239.105 > The default gateway (next hop) of Router 1, is x.x.x.x and the default > gateway (next hop) of Router 2, is y.y.y.y > > > > Router 1 (Default that everyone use) - You have a normal default gateway, > just as any other router > > route add 0.0.0.0 0.0.0.0 x.x.x.x > > > Router 2 (Only allowed by 172.16.239.104/29) - Default route routes back > into your network, the additional subnet routes to the "gateway". > > route add 172.16.239.104 255.255.255.248 y.y.y.y > route add 0.0.0.0 0.0.0.0 172.16.239.1 > --OR-- > route add 0.0.0.0 0.0.0.0 x.x.x.x > > > I have not tested this, I don't have the resources to. In theory something > like this should work however. Play around with it, read some fine manuals, > it is very possible. I've done something very similar on FreeBSD before > re-routing a network via two different Internet connections (redundancy type > of scenario).... > > Some things to keep in mind: > - Dynamic routing (such as routed, or BGP, RIP, etc) *WILL* break this, so > I'd recommend not doing this if you already use any form of dynamic routing. > - IP Forwarding and those kind of stuff is obviously required. > - On Router 2, it is also essential (under Linux it is, I don't know if > FreeBSD behaves in the same way) that the subnet's route (172.16.239.104/29) > comes BEFORE your default route. > > > -- > me > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message