[ale] Firewall design

Jerald Sheets jsheets at yahoo.com
Tue May 31 16:44:21 EDT 2005


I do that with my IPCop firewall (www.ipcop.org)...

It uses your primary ethernet (IP's removed for safety):

eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX
           inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
255.255.255.248
           UP BROADCAST RUNNING  MTU:1500  Metric:1
           RX packets:37973138 errors:0 dropped:0 overruns:0 frame:0
           TX packets:31729095 errors:0 dropped:0 overruns:0 carrier:0
           collisions:4922 txqueuelen:1000
           RX bytes:502443111 (479.1 Mb)  TX bytes:1688004962 (1609.8  
Mb)
           Interrupt:5 Base address:0x250 Memory:c0000-c2000

It aliases the rest of the IP's I was given by Speedfactory, and  
IPCop answers for all of them.  I then use ipfw to send the two DNS  
servers to the right internal boxes, and whatever is on my DMZ.  When  
configured, those look like so:


eth1:0    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
           inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
255.255.255.248
           UP BROADCAST RUNNING  MTU:1500  Metric:1
           Interrupt:5 Base address:0x250 Memory:c0000-c2000

eth1:1    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
           inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
255.255.255.248
           UP BROADCAST RUNNING  MTU:1500  Metric:1
           Interrupt:5 Base address:0x250 Memory:c0000-c2000

eth1:2    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
           inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
255.255.255.248
           UP BROADCAST RUNNING  MTU:1500  Metric:1
           Interrupt:5 Base address:0x250 Memory:c0000-c2000

eth1:3    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
           inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
255.255.255.248
           UP BROADCAST RUNNING  MTU:1500  Metric:1
           Interrupt:5 Base address:0x250 Memory:c0000-c2000

the inet address in each case is one of the 5 consecutives given me  
by SF.

As you can probably tell at this point, I'm a huge proponent of  
IPCop.  It's easy to set up, and uses commodity hardware.  I love it.



Jerald M. Sheets jr.
Sr. UNIX Systems Administrator
McKesson, Inc.
404.293.8762


On May 31, 2005, at 3:30 PM, Christopher Fowler wrote:

> Typically all the firewall's that I've used have been the MASQ type.
> I've received one public IP address and placed that on eth0 and  
> eth1 is
> a private on a 192.168.2.X.
>
> I am looking at expanding the number of public IP's from 1 to 5. I  
> have
> a question as to how this is configured. If my GDuo from SF  
> connects via
> a crossover cable to my firewall how do I get the remaining 4 public
> IP's available to the other devices?  Do I somehow make them available
> on eth1?
>
> One setup I'm looking at colocating some servers at E-Deltacomm.  They
> will give me 16 public IPs and I want them to only go through one  
> Linux
> firewall.  This was easy when that firewall was also the gateway.
>
> I guess when I do get the 16 ips they'll give me the gw address, the
> subnet mask and network address.  I could simply plug their network
> cable into a Cisco switch and then have 16 servers attached to but  
> then
> they would all be vulnerable to the public network.  Is there a way I
> can plug a Linux box between E-Deltacomm and my Cisco switch and  
> have it
> do filtering but not have an IP address on either eth0 or eth1.  This
> could be an invisible inline firewall thingy :)
>
> Chris
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>



More information about the Ale mailing list