Mailing List Archive

Hi,

I think that you can do that.
However, make subnet could be more secure if your firewalls doesn't work properly. Isn't it?

On Tue, Jul 24, 2001 at 04:36:09PM -0400, lee wrote:
> I need to build a firewall as soon as posible. But, I've got a big problem...
> In my company, we have 32 IP addresses (actually is only 29) in network and one cisco router to pass through our internet traffic.
> I plan to put a unix system's firewall in my local network to protect my several servers. But I don't know how to configuire my network. Should i need to make subnet for my IP addresses or i can use same IP range IP address for both devices on my firewall....
> The skeme is below:
> ------------- ------------- ----------------------
> | Router | ------ | Firewall | -------| Local Network|
> ------------- -------------- ----------------------
> From: Lee
>

--
(o_.' Imobach González Sosa
//\c{} imobachgs@softhome.net
V__)_ a2419@correo.dis.ulpgc.es
osoh en irc-hispano
Usuario Linux #201634
Debian GNU/Linux `Woody' con núcleo 2.4.5 sobre AMD K7 Athlon

Creo que tal vez haya mercado para cinco ordenadores.
-- Thomas Watson, presidente de IBM, 1943 --

The problem is that subnetting gets tricky if your not just spliting in half
, and you lose some address when you do that.

The best option is to use internal (192.168.1.x) addresses and have the
firewall do simple SNAT for you. Any machines that then need to be exposed
(eg web servers and mail) you can add more NAT rules and IP aliases. This
means that only boxes you want are exposed and all the others look like the
connections come from the firewall.

Another option (which I'm going to try) is 1-1 NAT, i.e. have the firewall
NAT 1.2.3.x to 192.168.1.x where x is the host number in both prerouting
and postrouting (you can use the NETMAP patch for this). Also you need to
have the firewall respond to ARP requests for the internal boxes by adding
aliases to the right network interface. To the outside you then appear to
have a normal network on normal address. This is slightly more insecure, as
all the boxes are "exposed" but if the firewall design is good then it
shouldn't be too bad.


-----Original Message-----
From: lee [mailto:lee@thewebbullet.com]
Sent: 24 July 2001 21:36
To: netfilter@lists.samba.org
Subject: S.O.S -- Firewall Setup Plan


I need to build a firewall as soon as posible. But, I've got a big
problem...
In my company, we have 32 IP addresses (actually is only 29) in network
and one cisco router to pass through our internet traffic.
I plan to put a unix system's firewall in my local network to protect my
several servers. But I don't know how to configuire my network. Should i
need to make subnet for my IP addresses or i can use same IP range IP
address for both devices on my firewall....
The skeme is below:
------------- ------------- ----------------------
| Router | ------ | Firewall | -------| Local Network|
------------- -------------- ----------------------
From:
Lee

Thanks for your suggestion. But, because I have 32 real ip addresses and 15
workstations, 4 servers (web, mail, DNS) in my local network.
I wondered how i can build a firewall in front of my network with all 'real'
ip addresses? The reason is that i host 50 around web sites with 20 ip
addresses and i don't want to change any address for them...
----- Original Message -----
From: Nigel Morse <N.Morse@hyperknowledge.com>
To: 'lee' <lee@thewebbullet.com>; <netfilter@lists.samba.org>
Sent: Wednesday, July 25, 2001 3:50 AM
Subject: RE: S.O.S -- Firewall Setup Plan


> The problem is that subnetting gets tricky if your not just spliting in
half
> , and you lose some address when you do that.
>
> The best option is to use internal (192.168.1.x) addresses and have the
> firewall do simple SNAT for you. Any machines that then need to be exposed
> (eg web servers and mail) you can add more NAT rules and IP aliases. This
> means that only boxes you want are exposed and all the others look like
the
> connections come from the firewall.
>
> Another option (which I'm going to try) is 1-1 NAT, i.e. have the firewall
> NAT 1.2.3.x to 192.168.1.x where x is the host number in both prerouting
> and postrouting (you can use the NETMAP patch for this). Also you need to
> have the firewall respond to ARP requests for the internal boxes by adding
> aliases to the right network interface. To the outside you then appear to
> have a normal network on normal address. This is slightly more insecure,
as
> all the boxes are "exposed" but if the firewall design is good then it
> shouldn't be too bad.
>
>
> -----Original Message-----
> From: lee [mailto:lee@thewebbullet.com]
> Sent: 24 July 2001 21:36
> To: netfilter@lists.samba.org
> Subject: S.O.S -- Firewall Setup Plan
>
>
> I need to build a firewall as soon as posible. But, I've got a big
> problem...
> In my company, we have 32 IP addresses (actually is only 29) in network
> and one cisco router to pass through our internet traffic.
> I plan to put a unix system's firewall in my local network to protect
my
> several servers. But I don't know how to configuire my network. Should i
> need to make subnet for my IP addresses or i can use same IP range IP
> address for both devices on my firewall....
> The skeme is below:
> ------------- ------------- ----------------------
> | Router | ------ | Firewall | -------| Local Network|
> ------------- -------------- ----------------------
>
From:
> Lee