[ale] Firewall design

Christopher Fowler cfowler at outpostsentinel.com
Tue May 31 18:00:11 EDT 2005


Why do you alias for all of them? 
It seems like that you have to assign an ip address to your ethernet
interface.


On Tue, 2005-05-31 at 16:33, Jerald Sheets wrote:
> I do that with my IPCop firewall (www.ipcop.org)...
> 
> It uses your primary ethernet (IP's removed for safety):
> 
> eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX
>            inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
> 255.255.255.248
>            UP BROADCAST RUNNING  MTU:1500  Metric:1
>            RX packets:37973138 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:31729095 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:4922 txqueuelen:1000
>            RX bytes:502443111 (479.1 Mb)  TX bytes:1688004962 (1609.8  
> Mb)
>            Interrupt:5 Base address:0x250 Memory:c0000-c2000
> 
> It aliases the rest of the IP's I was given by Speedfactory, and  
> IPCop answers for all of them.  I then use ipfw to send the two DNS  
> servers to the right internal boxes, and whatever is on my DMZ.  When  
> configured, those look like so:
> 
> 
> eth1:0    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
>            inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
> 255.255.255.248
>            UP BROADCAST RUNNING  MTU:1500  Metric:1
>            Interrupt:5 Base address:0x250 Memory:c0000-c2000
> 
> eth1:1    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
>            inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
> 255.255.255.248
>            UP BROADCAST RUNNING  MTU:1500  Metric:1
>            Interrupt:5 Base address:0x250 Memory:c0000-c2000
> 
> eth1:2    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
>            inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
> 255.255.255.248
>            UP BROADCAST RUNNING  MTU:1500  Metric:1
>            Interrupt:5 Base address:0x250 Memory:c0000-c2000
> 
> eth1:3    Link encap:Ethernet  HWaddr 00:E0:29:49:BA:C9
>            inet addr:**.**.**.**  Bcast:**.**.**.**  Mask: 
> 255.255.255.248
>            UP BROADCAST RUNNING  MTU:1500  Metric:1
>            Interrupt:5 Base address:0x250 Memory:c0000-c2000
> 
> the inet address in each case is one of the 5 consecutives given me  
> by SF.
> 
> As you can probably tell at this point, I'm a huge proponent of  
> IPCop.  It's easy to set up, and uses commodity hardware.  I love it.
> 
> 
> 
> Jerald M. Sheets jr.
> Sr. UNIX Systems Administrator
> McKesson, Inc.
> 404.293.8762
> 
> 
> On May 31, 2005, at 3:30 PM, Christopher Fowler wrote:
> 
> > Typically all the firewall's that I've used have been the MASQ type.
> > I've received one public IP address and placed that on eth0 and  
> > eth1 is
> > a private on a 192.168.2.X.
> >
> > I am looking at expanding the number of public IP's from 1 to 5. I  
> > have
> > a question as to how this is configured. If my GDuo from SF  
> > connects via
> > a crossover cable to my firewall how do I get the remaining 4 public
> > IP's available to the other devices?  Do I somehow make them available
> > on eth1?
> >
> > One setup I'm looking at colocating some servers at E-Deltacomm.  They
> > will give me 16 public IPs and I want them to only go through one  
> > Linux
> > firewall.  This was easy when that firewall was also the gateway.
> >
> > I guess when I do get the 16 ips they'll give me the gw address, the
> > subnet mask and network address.  I could simply plug their network
> > cable into a Cisco switch and then have 16 servers attached to but  
> > then
> > they would all be vulnerable to the public network.  Is there a way I
> > can plug a Linux box between E-Deltacomm and my Cisco switch and  
> > have it
> > do filtering but not have an IP address on either eth0 or eth1.  This
> > could be an invisible inline firewall thingy :)
> >
> > Chris
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >



More information about the Ale mailing list