Re: ADSL Bridging/Firewall Issues.....

[Barney Wolff <barney () databus com>]

Weird setup.  I can see several ways out:

1.  How many of your computers run services that must be accessed from 
outside?  If you're getting DHCP addresses, I'd guess none.  Then why are you 
paying extra (as you surely must be) for more than one real IP address?  With 
a cable/dsl router, well under $100 these days, you can get by with 1 address 
that the router NATs so all your boxes can initiate traffic, and the ISP will 
never see inter-machine traffic.

2.  If solution 1 can't be used, assign every machine an alias address from 
the RFC 1918 space, and set up your hostnames so they translate to the private 
addresses.  That way the public addresses will be used only when talking to 
the Internet - if a program does not specify which source address it wants, 
the one chosen will be the one on the same subnet as the destination (or ISP 
router, for Internet targets).

3.  Is your ISP really committed to running everything as one flat net?  This 
is the first I've seen of such a setup.  My DSL ISP gave (well, rents) me a 
/29 and a single IP that's bridged to the ISP router's subnet, and I use a 
FreeBSD box as a normal router, with firewall.  The ISP router has a route to 
my /29 via my single outside address.  All my other inside machines point 
default to the FreeBSD box's inside address.

Barney Wolff

On 2001.12.17 07:38 Andrew Fremantle wrote:
> Okay, i'm sure you've had many ADSL Firewalling questions in here before,
> and i've read some of your archives and didn't find anything that matched my
> situation properly.
>
> Let me describe my existing (no firewall) setup. IPs are fake, but the range
> is right.
>
> There's a hand-drawn diagram available at
> http://tempest.yi.org/skyhawk/firewall/network.jpg
> Of the four drawings, the two you want to be looking at are "Currently" and
> "Proposed"
>
> You can safely ignore the hub in the drawings, it's only there because it's
> got a bandwidth meter on it. It serves no function and merely acts as a
> pass-though.
>
> ADSL Router - 209.53.0.0/18 -- 209.53.0.0 - 209.53.63.255 I think
> All my machines use 209.53.36.254 as the default gw, and have 255.255.192.0
> assigned as the netmask.
> I believe this means my ISP have supernetted a bunch of class Cs, and then
> subnetted it down at their router to reduce IP wastage. I've only ever seen
> any of my machines have IPs in the 209.53.36.* and 209.53.37.* range.
>
> ADSL Modem -- Seems to be a bridge, transparent to the network
>
> 10Base Stupid Ethernet Switch
> Asante FriendlyNet -- Can only remember 32 MACs, but it does the job
>
> Four computers attached to the switch. IPs are on the ASCII-art diagram.
> I don't think it really matters, but the OS/s are Win2k, Win98, FreeBSD, and
> Red Hat Linux. The Linux box isn't really mine, it's just parked on my
> connection.
>
>  -------------
> | ADSL Router |
>  -------------
>  |
>  -------------
> | ADSL Modem  |
>  -------------
>  |
>  ---------------------------------------
> | Switch (All IPs are 209.53.)  |
>  ---------------------------------------
>  | | | |
>  37.140 36.25 37.125 36.74
>
> Okay, all IPs are dynamically assigned via DHCP.
>
> I've got two problems with this setup :
>
> 1) The ADSL Router is doing proxy-arp for the entire IP subnet. Any time one
> of my computers wants to talk to another one, it sends an arp who-has asking
> for a hardware address. The router hears the request and replies with ITS
> OWN MAC address, making all my LAN traffic go over the ADSL link. This
> absolutely brutalizes performance.
>
> Currently all 4 computers have scripts that they run on startup, calling the
> arp command to statically assign IP-MAC addresses. Any time an IP changes, I
> have to go update the bloody scripts.
>
> 2) Lack of packet filtering. In particular, I must run Windows Networking
> over IP to talk to my Samba server, and I know for a fact this is wide open
> on the net.
>
> So? Any suggestions? Currently i've got an additional FreeBSD box up on the
> network, acting as a Bridge between my switch and the modem. It has two
> interfaces, neither of which is configured for IP, and isn't filtering
> (yet). This lets me solve my security issues, but I would like to solve my
> ARP issues as well. I can either tell FreeBSD to allow ARP to bridge
> (keeping my current problem) or tell it NOT to allow ARP to bridge (Breaking
> ARP completely). As far as I can determine, there is no way for me to do any
> kind of Proxy ARP with Bridging, and the bridge has empty ARP tables.
>
> I'd like to keep full connectivity, except for the stuff i'm going to filter
> (Like Windows Networking). I'm running multiple servers and I like online
> gaming, and NAT is not friendly to either of these options, especially the
> gaming. I'm partial to FreeBSD but if it isn't the right tool for the job
> i'm willing to experiment with something else.
>
>
> Sorry for the lengthy post, and if this exact or a very similar scenario has
> been discussed elsewhere, please point me to it so I can read up. I am
> subscribed to the list, but if you want to reply off band for some reason,
> please email me at firewall@at () tempest yi org.
>
> Andrew Fremantle
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards