Hi, I have a Class C network on a T1. The router is already configured by the provider and it also acts as a gateway for the network. I have to utilize a cobalt raq 4(has 2 NICs) running redhat 8 to act as a firewall between the router and the class C network we will be using for services. The router is using xxx.xxx.xxx.1 ip so I can use the IPs from .2 to .254. I was thinking of assigning two ip addresses from the class C to each of the interfaces and connect the router''s ethernet port to one of the interfaces with a cross-over cable. The other interface can act as a gateway for other IP addresses in the network. 1). Is this setup advisable or has security risks ? 2). Can shorewall work with this kind of setup ? 3). Any other things I need to worry about ? Thanks, Bhavin.
On Sat, 21 Feb 2004, Bhavin Modi wrote:> Hi, > > I have a Class C network on a T1. The router is already configured by the > provider and it also acts as a gateway for the network. > > I have to utilize a cobalt raq 4(has 2 NICs) running redhat 8 to act as a > firewall between the router and the class C network we will be using for > services. The router is using xxx.xxx.xxx.1 ip so I can use the IPs from .2 > to .254. > > I was thinking of assigning two ip addresses from the class C to each of the > interfaces and connect the router''s ethernet port to one of the interfaces > with a cross-over cable. The other interface can act as a gateway for other > IP addresses in the network. >You can use the same IP address for both interfaces. Make the external interface a /32 and the internal one /24. You will then have to add a host route to the router before you can add a default route through that router.> 1). Is this setup advisable or has security risks ?No Problems.> 2). Can shorewall work with this kind of setup ?Yes.> 3). Any other things I need to worry about ?I suggest reading the Shorewall Setup Guide -- while it doesn''t cover your setup exactly, it should be time well-spent. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> You can use the same IP address for both interfaces. Make the external > interface a /32 and the internal one /24. You will then have to add a host > route to the router before you can add a default route through that > router.Will it work with both the interfaces with same IP addresses in /24 on both the NICs ? The problem is we dont have access to the router. If not then how should I assign the IP addresses ? Thanks Regards, Bhavin> On Sat, 21 Feb 2004, Bhavin Modi wrote: > > > Hi, > > > > I have a Class C network on a T1. The router is already configured bythe> > provider and it also acts as a gateway for the network. > > > > I have to utilize a cobalt raq 4(has 2 NICs) running redhat 8 to act asa> > firewall between the router and the class C network we will be using for > > services. The router is using xxx.xxx.xxx.1 ip so I can use the IPs from.2> > to .254. > > > > I was thinking of assigning two ip addresses from the class C to each ofthe> > interfaces and connect the router''s ethernet port to one of theinterfaces> > with a cross-over cable. The other interface can act as a gateway forother> > IP addresses in the network. > > >> > > 1). Is this setup advisable or has security risks ? > > No Problems. > > > 2). Can shorewall work with this kind of setup ? > > Yes. > > > 3). Any other things I need to worry about ? > > I suggest reading the Shorewall Setup Guide -- while it doesn''t cover your > setup exactly, it should be time well-spent. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
On Mon, 23 Feb 2004, Bhavin Modi wrote:> > You can use the same IP address for both interfaces. Make the external > > interface a /32 and the internal one /24. You will then have to add a host > > route to the router before you can add a default route through that > > router. > > Will it work with both the interfaces with same IP addresses in /24 on both > the NICs ? > The problem is we dont have access to the router. > > If not then how should I assign the IP addresses ? >I told you how to do it -- if you don''t understand what I''m trying to say, I''m sorry but given my personal situation right now I just cannot spend any time explaining basic IP to you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 23 Feb 2004, Tom Eastep wrote:> > I told you how to do it -- if you don''t understand what I''m trying to say, > I''m sorry but given my personal situation right now I just cannot spend > any time explaining basic IP to you. >I should explain -- I have very serious family problems to deal with at the moment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 23 February 2004 04:03 pm, Bhavin Modi wrote:> > You can use the same IP address for both interfaces. Make the external > > interface a /32 and the internal one /24. You will then have to add a > > host route to the router before you can add a default route through that > > router. > > Will it work with both the interfaces with same IP addresses in /24 on both > the NICs ? > The problem is we dont have access to the router. > > If not then how should I assign the IP addresses ?My several year long family ordeal has finally ended. Hopefully, now I will be better able to mind my manners on the lists. There is only one system on the internet side of your Shorewall box that you need to communicate directly with -- the upstream router. To do that, you don''t need to define your external interface address as a /24; all you need is a host route. Assuming that your external interface is eth0 and the internal interface is eth1, the ''ip'' command would be: ip route add <router ip address> dev eth0 If you define eth0 with a /24 address, you will automatically get a /24 route on that interface; that route would have to be deleted because eth0 is the first interface to come up so it''s /24 route would mask the /24 associated with your internal interface. Reversing the interfaces would still make your gateway susceptible to routing-caused outages in the event that you would "ifdown eth1" then "ifup eth1". The only other thing that needs to be determined here is if your ISP routes the /24 through your gateway''s IP address or if it assumes that the entire /24 is accessible using Ethernet. In the latter case, you would want to set the ''proxyarp'' interface option on both eth0 and eth1. Hope this helps. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Mike Noyes
2004-Feb-24 21:48 UTC
Re: [off-list] Firewall setup in a class C public network
On Tue, 2004-02-24 at 09:24, Tom Eastep wrote:> My several year long family ordeal has finally ended. Hopefully, now I will be > better able to mind my manners on the lists.Tom, I hope everything is alright. -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs
Tom Eastep
2004-Feb-25 00:04 UTC
Re: Re: [off-list] Firewall setup in a class C public network
On Tue, 24 Feb 2004, Mike Noyes wrote:> On Tue, 2004-02-24 at 09:24, Tom Eastep wrote: > > My several year long family ordeal has finally ended. Hopefully, now I will be > > better able to mind my manners on the lists. > > Tom, > I hope everything is alright. >Mike, My Mother passed away last night after a long bout with senile dementia; she and Dad have been living with us for the last five months. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks a lot for the explanation. I had a conversation with my provider regarding this as they didnt give us router access. They probably didnt understand the scenario so they gave us and additional subnet of /30 which is used for the router and the ext. interface of firewall and the /24 is now connected through the DMZ interface. We have a similar network with another T1 from another provider and we are using shorewall for that too. The system we used is an athlon 1800 with 256MB RAM but i find that the system is underutilized with the amount of traffic we are drawing, so we decided to use a dying cobalt raq4 for the firewall functionality. Unfortunately the cobalt RaQ4 has only 2 onboard NICs, but I think that should be fine. The cobalt RaQ4 has AMD K6 (450Mhz),2 Intel pro100Mbps NIC,256MB RAM. What are the minimum system requirements you would suggest for shorewall providing routing/firewall functionality on a T1 having about 70% BW utilization ? Thanks, Regards, Bhavin> On Monday 23 February 2004 04:03 pm, Bhavin Modi wrote: > > > You can use the same IP address for both interfaces. Make the external > > > interface a /32 and the internal one /24. You will then have to add a > > > host route to the router before you can add a default route throughthat> > > router. > > > > Will it work with both the interfaces with same IP addresses in /24 onboth> > the NICs ? > > The problem is we dont have access to the router. > > > > If not then how should I assign the IP addresses ? > > My several year long family ordeal has finally ended. Hopefully, now Iwill be> better able to mind my manners on the lists. > > There is only one system on the internet side of your Shorewall box thatyou> need to communicate directly with -- the upstream router. To do that, you > don''t need to define your external interface address as a /24; all youneed> is a host route. Assuming that your external interface is eth0 and the > internal interface is eth1, the ''ip'' command would be: > > ip route add <router ip address> dev eth0 > > If you define eth0 with a /24 address, you will automatically get a /24route> on that interface; that route would have to be deleted because eth0 is the > first interface to come up so it''s /24 route would mask the /24 associated > with your internal interface. Reversing the interfaces would still makeyour> gateway susceptible to routing-caused outages in the event that you would > "ifdown eth1" then "ifup eth1". > > The only other thing that needs to be determined here is if your ISProutes> the /24 through your gateway''s IP address or if it assumes that the entire > /24 is accessible using Ethernet. In the latter case, you would want toset> the ''proxyarp'' interface option on both eth0 and eth1. > > Hope this helps. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > >