Date: Sun, 2 Jun 2002 13:48:28 -0400 (EDT) From: "Michael Richards" <michael@fastmail.ca> To: security@FreeBSD.ORG Subject: Subnet Security Message-ID: <3CFA5A6C.000009.72128@ns.interchange.ca>
next in thread | raw e-mail | index | archive | help
--------------Boundary-00=_SSA30DJXFQQMYJ0CCJD0
Content-Type: Text/Plain
Content-Transfer-Encoding: 7bit
I've got a firewall and need to set up a subnet so the servers on it
have a much more restrictive ruleset than the other subnet. I'm not
100% sure how to do it but here is the info.
firewall:
outside
fxp0 -> 192.168.72.31 netmask 0xffffffc0 gw 192.168.72.1
fxp1 -> 192.168.79.1 netmask 0xffffff00
xl0 -> 192.168.79.120 netmask 0xfffffff0
secure webserver:
fxp0 -> 192.168.79.112 netmask ??? gw ???
We own a /24 block of IPs represented here as 192.168.79/24. For
historical reasons the secure subnet I'm trying to set up here is
stuck in the middle of the range.
The machines are all plugged into the same switch as well as the
firewall's fxp1 and xl0. xl0 is to be the secure one and it's set up
as a vlan. The ports for the secure servers will be tagged as the
same vlan as xl0 is plugged into.
Here is what I'm wondering:
a) Is this scheme possible with the netmasks I've defined? It would
seem that 192.168.79.1 overlaps 192.168.79.120 in terms of netmasks.
Does FreeBSD simply use the interface with the most restrictive
netmask?
b) what netmask and gw should I be using for the secure webserver?
c) will routing figure this out automagically or would it need to be
statically defined? If so how?
thanks
-Michael
_________________________________________________________________
http://fastmail.ca/ - Fast Secure Web Email for Canadians
--------------Boundary-00=_SSA30DJXFQQMYJ0CCJD0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CFA5A6C.000009.72128>