[ale] Firewall design
Christopher Fowler
cfowler at outpostsentinel.com
Tue May 31 18:00:11 EDT 2005
Why do you alias for all of them?
It seems like that you have to assign an ip address to your ethernet
interface.
On Tue, 2005-05-31 at 16:33, Jerald Sheets wrote:
> I do that with my IPCop firewall (www.ipcop.org)...
>
> It uses your primary ethernet (IP's removed for safety):
>
> eth1 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX
> inet addr:**.**.**.** Bcast:**.**.**.** Mask:
> 255.255.255.248
> UP BROADCAST RUNNING MTU:1500 Metric:1
> RX packets:37973138 errors:0 dropped:0 overruns:0 frame:0
> TX packets:31729095 errors:0 dropped:0 overruns:0 carrier:0
> collisions:4922 txqueuelen:1000
> RX bytes:502443111 (479.1 Mb) TX bytes:1688004962 (1609.8
> Mb)
> Interrupt:5 Base address:0x250 Memory:c0000-c2000
>
> It aliases the rest of the IP's I was given by Speedfactory, and
> IPCop answers for all of them. I then use ipfw to send the two DNS
> servers to the right internal boxes, and whatever is on my DMZ. When
> configured, those look like so:
>
>
> eth1:0 Link encap:Ethernet HWaddr 00:E0:29:49:BA:C9
> inet addr:**.**.**.** Bcast:**.**.**.** Mask:
> 255.255.255.248
> UP BROADCAST RUNNING MTU:1500 Metric:1
> Interrupt:5 Base address:0x250 Memory:c0000-c2000
>
> eth1:1 Link encap:Ethernet HWaddr 00:E0:29:49:BA:C9
> inet addr:**.**.**.** Bcast:**.**.**.** Mask:
> 255.255.255.248
> UP BROADCAST RUNNING MTU:1500 Metric:1
> Interrupt:5 Base address:0x250 Memory:c0000-c2000
>
> eth1:2 Link encap:Ethernet HWaddr 00:E0:29:49:BA:C9
> inet addr:**.**.**.** Bcast:**.**.**.** Mask:
> 255.255.255.248
> UP BROADCAST RUNNING MTU:1500 Metric:1
> Interrupt:5 Base address:0x250 Memory:c0000-c2000
>
> eth1:3 Link encap:Ethernet HWaddr 00:E0:29:49:BA:C9
> inet addr:**.**.**.** Bcast:**.**.**.** Mask:
> 255.255.255.248
> UP BROADCAST RUNNING MTU:1500 Metric:1
> Interrupt:5 Base address:0x250 Memory:c0000-c2000
>
> the inet address in each case is one of the 5 consecutives given me
> by SF.
>
> As you can probably tell at this point, I'm a huge proponent of
> IPCop. It's easy to set up, and uses commodity hardware. I love it.
>
>
>
> Jerald M. Sheets jr.
> Sr. UNIX Systems Administrator
> McKesson, Inc.
> 404.293.8762
>
>
> On May 31, 2005, at 3:30 PM, Christopher Fowler wrote:
>
> > Typically all the firewall's that I've used have been the MASQ type.
> > I've received one public IP address and placed that on eth0 and
> > eth1 is
> > a private on a 192.168.2.X.
> >
> > I am looking at expanding the number of public IP's from 1 to 5. I
> > have
> > a question as to how this is configured. If my GDuo from SF
> > connects via
> > a crossover cable to my firewall how do I get the remaining 4 public
> > IP's available to the other devices? Do I somehow make them available
> > on eth1?
> >
> > One setup I'm looking at colocating some servers at E-Deltacomm. They
> > will give me 16 public IPs and I want them to only go through one
> > Linux
> > firewall. This was easy when that firewall was also the gateway.
> >
> > I guess when I do get the 16 ips they'll give me the gw address, the
> > subnet mask and network address. I could simply plug their network
> > cable into a Cisco switch and then have 16 servers attached to but
> > then
> > they would all be vulnerable to the public network. Is there a way I
> > can plug a Linux box between E-Deltacomm and my Cisco switch and
> > have it
> > do filtering but not have an IP address on either eth0 or eth1. This
> > could be an invisible inline firewall thingy :)
> >
> > Chris
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
More information about the Ale
mailing list