Date: Thu, 1 Oct 1998 10:49:19 -0500 (CDT) From: "Jasper O'Malley" <jooji@webnology.com> To: questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C Message-ID: <Pine.LNX.4.02.9810011018380.23363-100000@mercury.webnology.com> In-Reply-To: <Pine.BSF.3.96.981001095955.29413B-100000@servidor.exsocom.com.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Oct 1998, Alejandro Galindo Chairez AGALINDO wrote:
> ok in this case i can setup my outside network like a half class C (mask
> 255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and
> the inside net with the ips 208.195.117.129 - 208.195.117.254.
Actually, the first subnet is 208.195.117.0 - 208.195.117.127, with .0 and
.127 not useable. The second is 208.195.117.128 - 208.195.117.255, with
.128 and .255 not useable.
> Actually, the external router's ethernet port now is 208.195.117.2 with a
> mask /25, i will need to change the mask here too? and if yes, why the
> router indicate to me invalida mask /25? (the router is a CISCO 4000).
A /25 mask is the same thing as 255.255.255.128; it should currently be a
/24 (255.255.255.0). What version of the Cisco IOS are you running? Have
you specified "ip classless" and "ip subnet zero" in your config? If not,
that's probably why it's barking at you. Traditionally, subnet zero and
subnet one (the first and last subnets in a classed network) were
unusable, because the first subnet contains the network address for the
entire network, and the last subnet contains the broadcast address for the
entire network. This leaves no useable addresses in a class C
split in two. Classless routing and VLSM have solved the first problem,
and no-one ever uses the all subnets broadcast anyway :P so the second
problem is moot. Cisco defaults to "traditional" settings, though, so you
need to explicitly tell it you're not using classed networks ("ip
classless"), and you'd like to use subnets zero and one ("ip subnet
zero").
> Other questions:
>
> I think if its posible to connect the firewall directly with the
> Router (without a hub) with a cross cable dos it work? or is necesary to
> use the hub?
A well-constructed crossover cable will do the trick fine. You can,
however, use a hub instead if you have any hosts you want to stick outside
the firewall for any reason.
> and how can i setup the routes in the firewall?
1) Turn on IP forwarding by setting gateway_enable="YES" in your rc.conf.
2) Modify the static_routes entry in /etc/rc.conf and add some route
descriptions.
The rc.conf manpage is a little sketchy on the details, but in general,
you name the routes you're setting up in static_routes, and add a line for
each route you've named as follows:
static_routes="one two three"
route_one="-net 192.168.1.0 192.168.0.1"
route_two="-net 192.168.2.0 -netmask 255.255.255.128 192.168.0.5"
route_three="-net 192.168.2.128 -netmask 255.255.255.128 192.168.0.25"
Each route_* line is passed as an argument to a "route add" command at
startup.
Note that these are *examples* only. They have nothing to do with your
situation. As a matter of fact, I don't think you'll need any static
routes at all, unless you put more than one network behind the firewall.
Just set the defaultrouter in the rc.conf to be the IP address of the
Cisco's ethernet interface. The networks 208.195.117.0/25 and
208.195.117.128/25 will be directly connected. Then be sure to set the
default gateway on the hosts behind the firewall to be the internal IP
address of the firewall.
You'll need a reboot to make the firewall start forwarding packets between
interfaces, or you can do it by hand:
sysctl -w net.inet.ip.forwarding=1
The reboot will also set up your new static routes, or, again, you can do
this by hand without a reboot, with the route add command.
That's the easy stuff, though ;) The real fun is setting up natd and
ipfirewall.
Cheers,
Mick
The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com
Systems Administrator ringring:asktheadmiral
Webnology, LLC woowoo:http://www.webnology.com/~jooji
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.02.9810011018380.23363-100000>