Hi everybody.
I would like some advice from your own experience which might be of help
with the situation I have.
I would like to firewall protect our internal network. The topology is
quite simple. There are about 30 servers/workstations interconnected with
2 cascaded switches. One port of a switch is connected to the main hub to
the internet.
All of the machines are assigned valid ip addresses.
Now I would like to make the setup look like this:
_____________
________ | |
Internet -----| PC |------| Switch |----- Internal network
(untrusted) -------- |_____________|
Where PC will be equiped with two NICs and be running a linux kernel with
a firewall ruleset.
I would like the internal network to keep using the valid IP addresses and
the current network setup for the shake of some kind of redundancy. Ie,
something goes wrong and I am not arround to take care of it, rip the
internet cable of the firewall PC and plug it into the switch, instant
(insecure.. sigh) fix.
Unfortunately these IP addresses are part of a class C domain that belongs
to the whole building we are in and it is not subnetted by any means. That
is, when somebody in the building has a new machine he is assigned the
next free address of the class-C domain. So my internal network has ip
addresses like .11, .12, .20, .100, .121, .196 ..... you get the idea.
And this is the problem I have. How do I set this up? The only way I could
think of was using proxy arp on and static host routes for my machines on
the firewall pc. Static routes are difficult to maintain on the long run
though (suppose we get a new machine) and the firewall pc should be as
maintenance free as possible.
Do I have to live with the above setup given my wish list?
Is there any other way of doing the above?
Any other ideas/pointers?
Thanks all,
-K.
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu
