At 02:34 PM 3/7/01 +0100, J.R. de Jong wrote: >Hello all, > >I've got a question concerning firewalling. ICMP, UDP and TCP can be >filtered out with ipchains/iptables, but what about IPX, ARP, netbios and >such? To make my question more clear let me explain what I want. ARP does not propagate across network segments. I never enable IPX in my machines; if you don't have the support then there is no way for a box to be a conduit. Same with NETBIOS and NETBEUI. I run a very mixed-client environment (Mac, Windows, BSD, Linux, other stuff from time to time), and find that TCP/IP all alone works just fine. >We have a network connected to the internet. Inside this network I want to >put a firewall. This firewall has two network adapters each with a >different network. The first is connected to the network and the other is >connected to a switch. On this switch we have a (beowulf) cluster of >machines. So you have Internet <-> campus network <-> firewall <-> Beowulf cluster with switch >Now, if I disable IP forwarding and make the firewall airtight in the >sense that I use ipchains to deny any traffic between the networks does >anything low level from the switch or whatever still propogate to the >other network? If you disable IPX, NETBIOS/NETBEUI, and forwarding, then there is nothing between the two networks, nothing at all, except any applications that talk on both networks. Kill inetd and rpc (and make damn sure you are not running any router software) and you have a digital divide between the campus and the Beowulf cluster. Someone would have to hack the firewall in order to get anything through. You will most likely want to run NAT and masquarade, so the Beowulf cluster can talk through the firewall to the outside world. You ARE running a private network inside the firewall, right? >Our IT people are against this setup and want to maintain the switch >themselves (which means it should be accesible to them) for the reason >that, as they say, it is still possible that this switch can cause hickups >in their network. Then they don't understand firewalls, period. If the IP addresses you use inside the firewall aren't routable (like net 10, the network I usually use for this purpose), then the switch will be working in its own little world and can have no effect on the rest of the campus. I suspect your IT people are mistaking an EtherSwitch for a IP-level router -- but even if your Beowulf cluster was running on an IP-level router, your firewall system wouldn't be propagating any router-to-router protocols unless you install the support for it to do so. (So don't.) >I find this hard to believe. To me it seems that there is no way >___AT__ALL__ that they can detect if there is anything behind the firewall >or that anything behind the firewall could cause some disturbance on the >network. The only disturbance to the campus network is application level traffic (FTP, HTTP, and the like) generated inside the perimeter intended for the Internet or the campus network, just as if someone was working with a client computer connected to the campus network. ARP is not a problem. No gateway or router advertisements will show up through the firewall computer, in either direction. Indeed, your IT people won't be able to affect the Beowulf cluster, the result I believe you desire. Satch - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
