Le lun 09/06/2003 à 05:46, loong a écrit : > is there anywhere install bridge firewall and install vlan > http://www.candelatech.com/~greear/vlan.html This works very well. > so that my firewall can run like netscreen without using hug or > switch to my webserver. You'll still have to use at leat one switch. > currently is > internet -- > eth0 firewall eth1 -- > hub ------> webserver 1 > ------> webserver > 2 > > is that anywhere i install few network card in my firewall then > > internet ---> eth0 firewall eth1 ----> webserver 1 > eth2 -----> > webserver 2 > eth3 -----> > webserver 3 Your physical setup will be like this : Internet -> eth0/Firewall/eth1 -> switch -> Web1 -> Web2 You can also have : Firewall/eth0 -> switch -> Internet -> Web1 -> Web2 But I don't recommand this setup as it relies too much on switch security features. So, you connect eth1 to your switch. This switch must support VLAN and 802.1q frame tagging. On the switch, configure the port connected to eth0 as a 802.1q port (called trunk on Cisco). Now, affect one VLAN to Web1 port, and another one to Web2 port, etc... Eth0's port will carry all affected VLANs (see you switch documentation). Now, on your firewall, use vconfig to create virtual interfaces associated to each VLAN you want to see through the 802.1q link. Suppose Web1 is on VLAN1, Web2 on VLAN2 : vconfig add eth0 1 vconfig add eth0 2 This will create vlan0001 and vlan0002 interfaces trhough which you'll see respectively Web1's traffic and Web2's traffic. See vconfig man page for further information. Now, this solution is very scalable as you can add as many VLAN as you want on your switch. You just have to add them to the 802.1q link and create proper interface on the firewall. Then you configure your routing and filtering between those vlan* interfaces just you way you're use to between physical ones (eth*). Note that eth1 will see 802.1q tagged frames. But beware to the fact that this kind of network separation directly depends on your switch security. If one is able to gain access to the switch or find a way to bypass it, you loose everything relying on VLANs. See : http://www.arp-sk.org/doc/bh-us-02-convrey-switches.pdf -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
