Date: Thu, 30 May 2002 15:44:14 +0000 From: max@ecotech.com.lr To: Chris Knipe <savage@savage.za.org> Cc: freebsd-isp@freebsd.org Subject: Re: Firewall Setup Message-ID: <1022773454.3cf648ce0fa88@mail.ecotech.com.lr> In-Reply-To: <008401c20762$e40ad5e0$0101a8c0@megalan.co.za> References: <Pine.BSF.4.21.0205291657050.295-100000@park.rambler.ru> <005201c20714$220071b0$04ef10ac@wireless> <009201c20736$1b604e80$0101a8c0@megalan.co.za> <001201c2074f$c3076dd0$04ef10ac@wireless> <008401c20762$e40ad5e0$0101a8c0@megalan.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
I think this is what I am looking for. As soon as I get near those routers, I will be implementing those changes. Thanks Chris Max Quoting Chris Knipe <savage@savage.za.org>: > > ----- Original Message ----- > > From: "Chris Knipe" <savage@savage.za.org> > > To: "Max" <max@ecotech.com.lr>; <freebsd-isp@freebsd.org> > > Sent: Wednesday, May 29, 2002 5:25 PM > > Subject: Re: Firewall Setup > > > > > > > > My network has other routers hardware and software. I want just few > > > machines > > > > to use this new router instead of the whole network so that even if a > > > client > > > > sets this > > > > router has his default gateway, he will not be able to access the > > > Internet! > > > > > > Isn't this more of a static-routing option rather than a firewall? A > > > firewall will block the packets, meaning that the clients which use the > > > "wrong" router, will have *no* internet access, rather than be directed > > > towards the right router. > > > > > > You can most probably redirect the packets from one firewall to another, > > but > > > that's limited to a per port basis. I think the simplest solution would > > > just be to re-route certain data from the "wrong" router, to the "right" > > > router > > > > > > route add <network> <mask> <gateway> if I'm not mistaken. > > > > > > So, if you have 10.0.0.0/255.0.0.0 and want 10.0.1.0/24 to be assigned > to > > > router 1, on your 2, you'll add a static route for that network, routing > > it > > > back to router 1. > > > > > In my terms, here's what I am looking @ > > I have 172.16.239.0/24 and I would like only 172.16.239.104/29 to access > > this router > > > > In your terms, what would that look like? > > > I'm going to presume that Router 1 is on 172.16.239.1 and Router 2 on > 172.16.239.105 > The default gateway (next hop) of Router 1, is x.x.x.x and the default > gateway (next hop) of Router 2, is y.y.y.y > > > > Router 1 (Default that everyone use) - You have a normal default gateway, > just as any other router > > route add 0.0.0.0 0.0.0.0 x.x.x.x > > > Router 2 (Only allowed by 172.16.239.104/29) - Default route routes back > into your network, the additional subnet routes to the "gateway". > > route add 172.16.239.104 255.255.255.248 y.y.y.y > route add 0.0.0.0 0.0.0.0 172.16.239.1 > --OR-- > route add 0.0.0.0 0.0.0.0 x.x.x.x > > > I have not tested this, I don't have the resources to. In theory something > like this should work however. Play around with it, read some fine manuals, > it is very possible. I've done something very similar on FreeBSD before > re-routing a network via two different Internet connections (redundancy type > of scenario).... > > Some things to keep in mind: > - Dynamic routing (such as routed, or BGP, RIP, etc) *WILL* break this, so > I'd recommend not doing this if you already use any form of dynamic routing. > - IP Forwarding and those kind of stuff is obviously required. > - On Router 2, it is also essential (under Linux it is, I don't know if > FreeBSD behaves in the same way) that the subnet's route (172.16.239.104/29) > comes BEFORE your default route. > > > -- > me > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1022773454.3cf648ce0fa88>