I was going to suggest the bridge method too as an innovative method of firewalling without subnetting. I have actually tried this and it works a treat - I applied the diffs to a 2.4.9 kernel and it worked, no problems. This is arguably more secure than a conventional firewall as you don't need any IP addresses on the firewall itself - even if you want an IP address on the firewall for management you can just put one on the "inside" interface and keep things nice and secure.... I think you can also do NAT with the bridge firewall, and yes there is a point! Graham. At 18:28 27/11/2001, you wrote: >NAT is probably the best way to setup the network if at all possible. >You get the most security from doing it this way. However, if for some >reason you can't (you have tons of machines pointed at the gateway and >can't change them easily or etc). You can put a bridge between the >router and the rest of the network. > >http://bridge.sourceforge.net/ > >This page has the source for bridging in a linux 2.4 kernel (should >already be in 2.4 kernels) and also firewalling from that bridge(which >I don't believe is in the 2.4 kernel). I have not tried the 2.4 kernel >(however I'm fixing to) with this patch, but I have been using it to >easily firewall 2500 machines (mac, unix, linux, windows, and etc) that >could not be easily reconfigured to point at a new gateway. > >I still believe nat is your best solution and provides the most >security, but it is not always feasable to re-point the clients to the >new router. This should give you an alternative method. > >Robert > ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
