From owner-freebsd-isp Wed Feb 11 14:12:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01354 for freebsd-isp-outgoing; Wed, 11 Feb 1998 14:12:21 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01342; Wed, 11 Feb 1998 14:12:15 -0800 (PST) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id WAA24004; Wed, 11 Feb 1998 22:52:58 +0100 (MET) Received: from rm.devnull.ruhr.de [192.168.22.75] by devnull.ruhr.de with smtp (Exim 1.73 #1) id 0y2jq1-0000IP-00; Wed, 11 Feb 1998 22:37:01 +0100 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.73 #1) id 0y2juS-0000AS-00; Wed, 11 Feb 1998 22:41:36 +0100 To: Cliff Addy Cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: FreeBSD firewall questions References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 11 Feb 1998 22:41:35 +0100 In-Reply-To: Cliff Addy's message of "Wed, 11 Feb 1998 08:48:40 -0500 (EST)" Message-ID: <87en19vmy8.fsf@devnull.ruhr.de> Lines: 88 X-Mailer: Gnus v5.5/XEmacs 20.3 - "Vatican City" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cliff Addy writes: > - I think we have to change the default gateway of all our systems to the > firewall box, is that correct? Currently, they use the router. Yes, if you mean the internal address of the firewall/router box, but... > - We have 4 class C networks in our internal systems. Let's assume we > assign 100.100.100.100 to the "inside" nic on the firewall box and > 100.100.100.101 to the "outside" nic, while the router's ip is > 100.100.100.1. Does this routing on the firewall box look right? Not really. A router is usually connected to two (or more) networks. What you're doing right now is connect it twice to the same network 100.100.100.* at least from the IP address point of view, which is not exactly your intention. You'll need several networks: Network 1: Between your ISP/NSP and your router. Network 2: Between your router and your packet filter. Network 3-n: Your internal network(s). Possibly you have a perimeter/DMZ network with application proxies and/or outbound servers like FTP or WWW servers. The important thing is that you use Network 3-n addresses within Network 2. No good. You may consider spending a whole class C network for that, use a NAT/RFC1918 network address (192.168.*.*) or subnet one of your networks 3-n and use one of the subnets for the net between router and packet filter. The first solution is the "clean" one, but may require another registered class C, so it's not exactly perfect. The second solution should work fine if your router lets you use those NAT addresses. The third is a bit tricky; I wouldn't consider it unless the other two solutions didn't work. If you try, make sure you get the network and broadcast addresses right. And of course there's always the solution I missed... > - set static network routes to the internal class C networks > route add -net 100.100.100.0 -interface 100.100.100.100 > route add -net 100.100.101.0 -interface 100.100.100.100 > route add -net 100.100.102.0 -interface 100.100.100.100 > route add -net 100.100.103.0 -interface 100.100.100.100 You can probably simplify things if you use a specific netmask. This may speed things up a bit. Try something like # route add -net 100.100.100.0 -netmask 255.255.251.0 \ -interface 100.100.100.100 (not tested and I'm a bit out of practice with the syntax, so YMMV). > - set a static route to the router's ip address > route add 100.100.100.1 100.100.100.101 > > or does this need to be > route add 100.100.100.1 -interface 100.100.100.101 This is where things get messy because you're overriding the network route(s) above with a host route. The most ugly part about it is that internal machines can't reach the router itself anymore --- they can send things through it, but they can't even ping it to see if it's up. They'll always complain about a "host is down" or similar. Sorry I can't really tell about the proper routing syntax --- it's been about three or four years that I've last done anything serious about this on FreeBSD (and then we used dynamic routing). > - In order to connect the outside nic of the firewall directly to the > router, don't we need a "special" cable, the cat-5 equivalent of a > null-modem cable? You can use a proper hub instead. It is also possible to build a null-hub cable, but I don't remember which wires to cross. Sorry, maybe some hardware fraggle knows? Ben -- Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message