Firewall Wizards mailing list archives
Re: ADSL Bridging/Firewall Issues.....
From: Barney Wolff <barney () databus com>
Date: Tue, 18 Dec 2001 01:17:46 -0500
Weird setup. I can see several ways out:1. How many of your computers run services that must be accessed from outside? If you're getting DHCP addresses, I'd guess none. Then why are you paying extra (as you surely must be) for more than one real IP address? With a cable/dsl router, well under $100 these days, you can get by with 1 address that the router NATs so all your boxes can initiate traffic, and the ISP will never see inter-machine traffic.
2. If solution 1 can't be used, assign every machine an alias address from the RFC 1918 space, and set up your hostnames so they translate to the private addresses. That way the public addresses will be used only when talking to the Internet - if a program does not specify which source address it wants, the one chosen will be the one on the same subnet as the destination (or ISP router, for Internet targets).
3. Is your ISP really committed to running everything as one flat net? This is the first I've seen of such a setup. My DSL ISP gave (well, rents) me a /29 and a single IP that's bridged to the ISP router's subnet, and I use a FreeBSD box as a normal router, with firewall. The ISP router has a route to my /29 via my single outside address. All my other inside machines point default to the FreeBSD box's inside address.
Barney Wolff On 2001.12.17 07:38 Andrew Fremantle wrote:
Okay, i'm sure you've had many ADSL Firewalling questions in here before, and i've read some of your archives and didn't find anything that matched my situation properly. Let me describe my existing (no firewall) setup. IPs are fake, but the range is right. There's a hand-drawn diagram available at http://tempest.yi.org/skyhawk/firewall/network.jpg Of the four drawings, the two you want to be looking at are "Currently" and "Proposed" You can safely ignore the hub in the drawings, it's only there because it's got a bandwidth meter on it. It serves no function and merely acts as a pass-though. ADSL Router - 209.53.0.0/18 -- 209.53.0.0 - 209.53.63.255 I think All my machines use 209.53.36.254 as the default gw, and have 255.255.192.0 assigned as the netmask. I believe this means my ISP have supernetted a bunch of class Cs, and then subnetted it down at their router to reduce IP wastage. I've only ever seen any of my machines have IPs in the 209.53.36.* and 209.53.37.* range. ADSL Modem -- Seems to be a bridge, transparent to the network 10Base Stupid Ethernet Switch Asante FriendlyNet -- Can only remember 32 MACs, but it does the job Four computers attached to the switch. IPs are on the ASCII-art diagram. I don't think it really matters, but the OS/s are Win2k, Win98, FreeBSD, and Red Hat Linux. The Linux box isn't really mine, it's just parked on my connection. ------------- | ADSL Router | ------------- | ------------- | ADSL Modem | ------------- | --------------------------------------- | Switch (All IPs are 209.53.) | --------------------------------------- | | | | 37.140 36.25 37.125 36.74 Okay, all IPs are dynamically assigned via DHCP. I've got two problems with this setup : 1) The ADSL Router is doing proxy-arp for the entire IP subnet. Any time one of my computers wants to talk to another one, it sends an arp who-has asking for a hardware address. The router hears the request and replies with ITS OWN MAC address, making all my LAN traffic go over the ADSL link. This absolutely brutalizes performance. Currently all 4 computers have scripts that they run on startup, calling the arp command to statically assign IP-MAC addresses. Any time an IP changes, I have to go update the bloody scripts. 2) Lack of packet filtering. In particular, I must run Windows Networking over IP to talk to my Samba server, and I know for a fact this is wide open on the net. So? Any suggestions? Currently i've got an additional FreeBSD box up on the network, acting as a Bridge between my switch and the modem. It has two interfaces, neither of which is configured for IP, and isn't filtering (yet). This lets me solve my security issues, but I would like to solve my ARP issues as well. I can either tell FreeBSD to allow ARP to bridge (keeping my current problem) or tell it NOT to allow ARP to bridge (Breaking ARP completely). As far as I can determine, there is no way for me to do any kind of Proxy ARP with Bridging, and the bridge has empty ARP tables. I'd like to keep full connectivity, except for the stuff i'm going to filter (Like Windows Networking). I'm running multiple servers and I like online gaming, and NAT is not friendly to either of these options, especially the gaming. I'm partial to FreeBSD but if it isn't the right tool for the job i'm willing to experiment with something else. Sorry for the lengthy post, and if this exact or a very similar scenario has been discussed elsewhere, please point me to it so I can read up. I am subscribed to the list, but if you want to reply off band for some reason, please email me at firewall@at () tempest yi org. Andrew Fremantle _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ADSL Bridging/Firewall Issues..... Andrew Fremantle (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Barney Wolff (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Ng Pheng Siong (Dec 17)
- Re: ADSL Bridging/Firewall Issues..... Ng Pheng Siong (Dec 19)