[ale] Firewall design

Jerald Sheets jsheets at yahoo.com
Tue May 31 21:01:07 EDT 2005


*I* don't.  The IPCop software does by design.  

http://www.ipcop.org.

--j


--- Christopher Fowler <cfowler at outpostsentinel.com>
wrote:

> Why do you alias for all of them? 
> It seems like that you have to assign an ip address
> to your ethernet
> interface.
> 
> 
> On Tue, 2005-05-31 at 16:33, Jerald Sheets wrote:
> > I do that with my IPCop firewall
> (www.ipcop.org)...
> > 
> > It uses your primary ethernet (IP's removed for
> safety):
> > 
> > eth1      Link encap:Ethernet  HWaddr
> XX:XX:XX:XX:XX
> >            inet addr:**.**.**.** 
> Bcast:**.**.**.**  Mask: 
> > 255.255.255.248
> >            UP BROADCAST RUNNING  MTU:1500 
> Metric:1
> >            RX packets:37973138 errors:0 dropped:0
> overruns:0 frame:0
> >            TX packets:31729095 errors:0 dropped:0
> overruns:0 carrier:0
> >            collisions:4922 txqueuelen:1000
> >            RX bytes:502443111 (479.1 Mb)  TX
> bytes:1688004962 (1609.8  
> > Mb)
> >            Interrupt:5 Base address:0x250
> Memory:c0000-c2000
> > 
> > It aliases the rest of the IP's I was given by
> Speedfactory, and  
> > IPCop answers for all of them.  I then use ipfw to
> send the two DNS  
> > servers to the right internal boxes, and whatever
> is on my DMZ.  When  
> > configured, those look like so:
> > 
> > 
> > eth1:0    Link encap:Ethernet  HWaddr
> 00:E0:29:49:BA:C9
> >            inet addr:**.**.**.** 
> Bcast:**.**.**.**  Mask: 
> > 255.255.255.248
> >            UP BROADCAST RUNNING  MTU:1500 
> Metric:1
> >            Interrupt:5 Base address:0x250
> Memory:c0000-c2000
> > 
> > eth1:1    Link encap:Ethernet  HWaddr
> 00:E0:29:49:BA:C9
> >            inet addr:**.**.**.** 
> Bcast:**.**.**.**  Mask: 
> > 255.255.255.248
> >            UP BROADCAST RUNNING  MTU:1500 
> Metric:1
> >            Interrupt:5 Base address:0x250
> Memory:c0000-c2000
> > 
> > eth1:2    Link encap:Ethernet  HWaddr
> 00:E0:29:49:BA:C9
> >            inet addr:**.**.**.** 
> Bcast:**.**.**.**  Mask: 
> > 255.255.255.248
> >            UP BROADCAST RUNNING  MTU:1500 
> Metric:1
> >            Interrupt:5 Base address:0x250
> Memory:c0000-c2000
> > 
> > eth1:3    Link encap:Ethernet  HWaddr
> 00:E0:29:49:BA:C9
> >            inet addr:**.**.**.** 
> Bcast:**.**.**.**  Mask: 
> > 255.255.255.248
> >            UP BROADCAST RUNNING  MTU:1500 
> Metric:1
> >            Interrupt:5 Base address:0x250
> Memory:c0000-c2000
> > 
> > the inet address in each case is one of the 5
> consecutives given me  
> > by SF.
> > 
> > As you can probably tell at this point, I'm a huge
> proponent of  
> > IPCop.  It's easy to set up, and uses commodity
> hardware.  I love it.
> > 
> > 
> > 
> > Jerald M. Sheets jr.
> > Sr. UNIX Systems Administrator
> > McKesson, Inc.
> > 404.293.8762
> > 
> > 
> > On May 31, 2005, at 3:30 PM, Christopher Fowler
> wrote:
> > 
> > > Typically all the firewall's that I've used have
> been the MASQ type.
> > > I've received one public IP address and placed
> that on eth0 and  
> > > eth1 is
> > > a private on a 192.168.2.X.
> > >
> > > I am looking at expanding the number of public
> IP's from 1 to 5. I  
> > > have
> > > a question as to how this is configured. If my
> GDuo from SF  
> > > connects via
> > > a crossover cable to my firewall how do I get
> the remaining 4 public
> > > IP's available to the other devices?  Do I
> somehow make them available
> > > on eth1?
> > >
> > > One setup I'm looking at colocating some servers
> at E-Deltacomm.  They
> > > will give me 16 public IPs and I want them to
> only go through one  
> > > Linux
> > > firewall.  This was easy when that firewall was
> also the gateway.
> > >
> > > I guess when I do get the 16 ips they'll give me
> the gw address, the
> > > subnet mask and network address.  I could simply
> plug their network
> > > cable into a Cisco switch and then have 16
> servers attached to but  
> > > then
> > > they would all be vulnerable to the public
> network.  Is there a way I
> > > can plug a Linux box between E-Deltacomm and my
> Cisco switch and  
> > > have it
> > > do filtering but not have an IP address on
> either eth0 or eth1.  This
> > > could be an invisible inline firewall thingy :)
> > >
> > > Chris
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > >
> 
> 



More information about the Ale mailing list