RE: Firewall on the same subnet

["Kehoe, Anthony" <AKehoe () hsdinc com>]

Hi there,

I think one question is whether your internal machines are going to have
valid internet addresses, or protected-network addresses. If you have a
class C assigned from your ISP, and want to give all your machines valid IP
addresses but behind a firewall, then one thing you might want to look at is
a bridging firewall with a linux box and two network cards. With some kernel
patches to the bridging code, you are able to bridge two interfaces but also
firewall, using IPCHAINS, traffic crossing the bridge. In effect, it allows
you to have the firewall as a router, with the exception that it isn't
routing. Consider:

Internet -----> ADSL modem ------> firewall -------> hub ---------> machines

Traffic, however, will not know the firewall is even there, as it does not
need to be set up as a router. All machines behind the firewall can either
use the firewall IP address, or the ADSL modem IP address. Since the
firewall is bridging, to all intents and purposes the connection looks like:

Internet -----> ADSL modem ------------------------> hub ---------> machines

If you want to have a DMZ setup, like:

Internet -----> ADSL modem ------> firewall 1 -------> hub --------->
machines
                                      |
                                      |
                                      |
                                      -----> firewall 2 ----------> hub
----------> internal machines

Then you get two levels of firewall. Of course, you don't even have to have
firewall 2 in there if you don't want to, as firewall 1 can also NAT the
internal machine addresses, but you might want the extra security.

The benefit of the bridging firewall setup is that you get to keep ALL your
class-c addresses for use on hosts in the DMZ without having to subnet
anything. You can subnet, and use a standard linux router, but you do lose
some addresses. The bridge alleviates this problem. In addition, since the
adsl modem is directly connected into the firewall, and the firewall is
connected to the hub in series, there's no way of getting to the machines
behind the firewall except by going through it. I haven't tried it, but I
believe that with the linux bridging router, you can even take the IP
address off the bridge. In effect, this makes the linux box totally
invisible. IT doesn't even have an IP address, thus impossible to hack from
the outside. You just have to keep up to date with any kernel difficulties
or TCP/IP stack denials, and you're set.

If you want all your machines to have protected-net IP addresses, then it's
easier. Just install linux and read the firewall-HOWTO and see what it says
about setting up IPCHAINS in a NAT environment. 

Regards,
Anthony Kehoe
Network Analyst
AKehoe () hsdinc com
414.257.9900 x118
Heartland Software Development, Inc.
2525 N. Mayfair Road, Suite 300
Milwaukee, Wisconsin  53226
http://www.HSDInc.com



-----Original Message-----
From: Ivo Janssen [mailto:ivo () ivo nu]
Sent: Thursday, November 02, 2000 7:37 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Firewall on the same subnet


I have a question about building a firewall that has both interfaces
in 1 subnet. 

I've read a thread on the debian-firewall list (see
http://lists.debian.org/debian-firewall-0010/msg00028.html ), but I
think my situation is a little different.

In my case, an incoming ADSL line delivers a UTP cable that outputs
traffic for our whole assigned C class subnet (let's say 1.1.1.x)
Normally, I would just plug that into a switch and connect the 256
machines to it. But I want to put a firewall in between.

So my situation will be: (scenario 1)

  ADSL-ISP ----- DSLAM-port -----  firewall ---- internal network
                             
       <- external networks ->|<- 1.1.1.x network ->
                  
How do I route this in a good way, without resorting to going a level
beneath IP, and getting into stuff like MAC, bridge, ARP.

People keep telling me this is possible, and they give me the
following situation: (scenario 2)

  DIALUP-ISP  --- ISDN line --- Ascend router --- internal network

      <- external networks ->|<- 1.1.1.x network ->

This is a situation we actually have at this point, where the Ascend
router actually acts as a router, with IP adres 1.1.1.1, and the rest
of the network sets 1.1.1.1 as default gateway.
Can I, in scenario 1, just set the outer NIC to, say 1.1.1.1 and the
inner NIC to 1.1.1.2 and put 1.1.1.2 as default gateway on my
internal net? Or should I just assign 1 IP to the whole fw-box?
I keep on reading scenario 1 is so different from scenario 2 that
scenario 2 can use "normal" routing, but scenario 1 needs hacks like
Proxy ARP.

The one thing I do not want is resort to route IP packets on MAC
level with Proxy ARP, it just comes to me as a hack.

Please, could someone tell me what the exact difference between
scenarios 1 and 2 is, and what I should use if I want to make our
internal network a fully routed part of the internet.

Sincerely,

Ivo

--
+---------------------------------------------------------------------
| IVO JANSSEN - ivo at ricardis.tudelft.nl - http://ivo.nu/
| Delft University of Technology - the Netherlands
| finger ivo at server.ricardis.tudelft.nl for PGP and more info
| Part of the world's largest computer: http://www.distributed.net/




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards