Date: Sat, 19 Aug 2000 22:56:55 -0700 From: Dan Debertin <airboss@bitstream.net> To: Todd Backman <todd@flyingcroc.net> Cc: freebsd-security@freebsd.org Subject: Re: Routing firewall w/ipfw questions Message-ID: <Pine.SGI.4.21.0008192238200.11137-100000@copper.air-boss.net> In-Reply-To: <Pine.BSF.4.21.0008192142110.27579-100000@security1.noc.flyingcroc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
First, as this is not exactly security-related, a better forum for this is -net (or -questions, but that list tends to have more questions than answers ;). Now, on to your question: > > Question: > Is my reasoning flawed in regards to the routing portion of this setup? Your subnetting plan looks fine to me. One thing that strikes me, though, is that you need to have a router on the external side who knows that your FreeBSD box is the next-hop router for the post-firewall /24. Is there such a router in your setup? For example, let's say that your firewall's external interface is 1.1.1.6/29, and the internal is 1.1.2.1/24. There should be a router with an interface on the 1.1.1.0/29 subnet that "knows" that 1.1.2.0/24 is reached via 1.1.1.6. In cisco syntax this would be ip route 1.1.1.0 255.255.255.0 1.1.1.6 or via the UNIX "route" command: route add -net 1.1.2.0 -netmask 255.255.255.0 1.1.1.6 Also, make sure you have a default gateway on your firewall pointing to that external router. I am also assuming you've done the basic lower-layer checks for link lights, cable integrity, etc. > Thanks for any help you might provide. Upon successful completion of this > project I will document all *correct* procedures and post as I have not > found any documentation on setting ipfw up for protecting an internal /24 > with a different subnet on the outside interface. We've been doing this successfully for quite some time, so I assure you it's fairly standard ;). ~Dan D. -- ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.4.21.0008192238200.11137-100000>