[ale] Firewall design

Jerald Sheets jsheets at yahoo.com
Tue May 31 22:23:26 EDT 2005


Actually you can.  All the configs are under
/var/ipcop, and you can set the configurations on
outside access and portfw from the command line.  It
is very sweet.

All FOSS software with reconfigured config file
locations, fronted by a webserver.

The system is taken from Smoothwall, and was started
because people were tired of the folks at Smoothwall
being such jerks in support all the time.  

It's a good project (at least for my needs)

--j


--- Christopher Fowler <cfowler at outpostsentinel.com>
wrote:

> This is really cool.  The only thing I do not like
> that others might is
> that the implementation is hidden away.  The nice
> click GUI will allow
> anyone to set this up but if something goes screwy I
> need to be able to
> dive in with VIM and fix the problem.
> 
> On Tue, 2005-05-31 at 20:50, Jerald Sheets wrote:
> > *I* don't.  The IPCop software does by design.  
> > 
> > http://www.ipcop.org.
> > 
> > --j
> > 
> > 
> > --- Christopher Fowler
> <cfowler at outpostsentinel.com>
> > wrote:
> > 
> > > Why do you alias for all of them? 
> > > It seems like that you have to assign an ip
> address
> > > to your ethernet
> > > interface.
> > > 
> > > 
> > > On Tue, 2005-05-31 at 16:33, Jerald Sheets
> wrote:
> > > > I do that with my IPCop firewall
> > > (www.ipcop.org)...
> > > > 
> > > > It uses your primary ethernet (IP's removed
> for
> > > safety):
> > > > 
> > > > eth1      Link encap:Ethernet  HWaddr
> > > XX:XX:XX:XX:XX
> > > >            inet addr:**.**.**.** 
> > > Bcast:**.**.**.**  Mask: 
> > > > 255.255.255.248
> > > >            UP BROADCAST RUNNING  MTU:1500 
> > > Metric:1
> > > >            RX packets:37973138 errors:0
> dropped:0
> > > overruns:0 frame:0
> > > >            TX packets:31729095 errors:0
> dropped:0
> > > overruns:0 carrier:0
> > > >            collisions:4922 txqueuelen:1000
> > > >            RX bytes:502443111 (479.1 Mb)  TX
> > > bytes:1688004962 (1609.8  
> > > > Mb)
> > > >            Interrupt:5 Base address:0x250
> > > Memory:c0000-c2000
> > > > 
> > > > It aliases the rest of the IP's I was given by
> > > Speedfactory, and  
> > > > IPCop answers for all of them.  I then use
> ipfw to
> > > send the two DNS  
> > > > servers to the right internal boxes, and
> whatever
> > > is on my DMZ.  When  
> > > > configured, those look like so:
> > > > 
> > > > 
> > > > eth1:0    Link encap:Ethernet  HWaddr
> > > 00:E0:29:49:BA:C9
> > > >            inet addr:**.**.**.** 
> > > Bcast:**.**.**.**  Mask: 
> > > > 255.255.255.248
> > > >            UP BROADCAST RUNNING  MTU:1500 
> > > Metric:1
> > > >            Interrupt:5 Base address:0x250
> > > Memory:c0000-c2000
> > > > 
> > > > eth1:1    Link encap:Ethernet  HWaddr
> > > 00:E0:29:49:BA:C9
> > > >            inet addr:**.**.**.** 
> > > Bcast:**.**.**.**  Mask: 
> > > > 255.255.255.248
> > > >            UP BROADCAST RUNNING  MTU:1500 
> > > Metric:1
> > > >            Interrupt:5 Base address:0x250
> > > Memory:c0000-c2000
> > > > 
> > > > eth1:2    Link encap:Ethernet  HWaddr
> > > 00:E0:29:49:BA:C9
> > > >            inet addr:**.**.**.** 
> > > Bcast:**.**.**.**  Mask: 
> > > > 255.255.255.248
> > > >            UP BROADCAST RUNNING  MTU:1500 
> > > Metric:1
> > > >            Interrupt:5 Base address:0x250
> > > Memory:c0000-c2000
> > > > 
> > > > eth1:3    Link encap:Ethernet  HWaddr
> > > 00:E0:29:49:BA:C9
> > > >            inet addr:**.**.**.** 
> > > Bcast:**.**.**.**  Mask: 
> > > > 255.255.255.248
> > > >            UP BROADCAST RUNNING  MTU:1500 
> > > Metric:1
> > > >            Interrupt:5 Base address:0x250
> > > Memory:c0000-c2000
> > > > 
> > > > the inet address in each case is one of the 5
> > > consecutives given me  
> > > > by SF.
> > > > 
> > > > As you can probably tell at this point, I'm a
> huge
> > > proponent of  
> > > > IPCop.  It's easy to set up, and uses
> commodity
> > > hardware.  I love it.
> > > > 
> > > > 
> > > > 
> > > > Jerald M. Sheets jr.
> > > > Sr. UNIX Systems Administrator
> > > > McKesson, Inc.
> > > > 404.293.8762
> > > > 
> > > > 
> > > > On May 31, 2005, at 3:30 PM, Christopher
> Fowler
> > > wrote:
> > > > 
> > > > > Typically all the firewall's that I've used
> have
> > > been the MASQ type.
> > > > > I've received one public IP address and
> placed
> > > that on eth0 and  
> > > > > eth1 is
> > > > > a private on a 192.168.2.X.
> > > > >
> > > > > I am looking at expanding the number of
> public
> > > IP's from 1 to 5. I  
> > > > > have
> > > > > a question as to how this is configured. If
> my
> > > GDuo from SF  
> > > > > connects via
> > > > > a crossover cable to my firewall how do I
> get
> > > the remaining 4 public
> > > > > IP's available to the other devices?  Do I
> > > somehow make them available
> > > > > on eth1?
> > > > >
> > > > > One setup I'm looking at colocating some
> servers
> > > at E-Deltacomm.  They
> > > > > will give me 16 public IPs and I want them
> to
> > > only go through one  
> > > > > Linux
> > > > > firewall.  This was easy when that firewall
> was
> > > also the gateway.
> > > > >
> > > > > I guess when I do get the 16 ips they'll
> give me
> > > the gw address, the
> > > > > subnet mask and network address.  I could
> simply
> > > plug their network
> > > > > cable into a Cisco switch and then have 16
> > > servers attached to but  
> > > > > then
> > > > > they would all be vulnerable to the public
> > > network.  Is there a way I
> > > > > can plug a Linux box between E-Deltacomm and
> my
> > > Cisco switch and  
> > > > > have it
> > > > > do filtering but not have an IP address on
> > > either eth0 or eth1.  This
> > > > > could be an invisible inline firewall thingy
> :)
> > > > >
> > > > > Chris
> > > > >
> > > > >
> > > > >
> _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > 
> > > 
> 
> 



More information about the Ale mailing list