Re: IP ranges with linux firewalls?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jan!

On 11/27/01, Benjamin Stocker posted nearly the same question to this list (read these threads to get into the topic):

http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0082.html
http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0093.html

Question 1)
It is no problem to do nat both for the DMZ and for your internal net. Configure your staff like this:

Provider

       | ext-IP-Range: 1.1.1.224-239 (NIC_0)
      NAT
  +----+-----+

  |          ¦ dmz-IP: 192.168.1.1 (NIC_1)
  |   fw     +------- DMZ 192.168.1.2-x (Gateway: dmz-IP)

  +----+-----+

       | int-IP: 192.168.0.1

     Intranet: 192.168.0.2-255 (Gateway: int-IP)

This is a very robust setup. You do not lost the advantage of a DMZ (an attacker who broak into a Computer on the DMZ don't has easy access to the internal machines). If you need an extra level of security, you may also put a second firewall between fw1 and the Intranet.

Question 2)
You have to split the class C-Net into 2 Networks with 128 IPs each and route the traffic.
See: http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0081.html

Ulrich
Searching for an archive of the most important Security Mailing-Lists?
http://www.der-keiler.de


On Wednesday 13 February 2002 04:00 pm, Jan Stifter wrote:

> hello,
> I have two questions regarding the configuration of network
> interfaces:
>
> Question 1)
> -----------
>
>    Provider
>
>       | ext-IP
>
>  +----+-----+
>
>  |          ¦ dmz-IP
>  |   fw     +------- DMZ
>
>  +----+-----+
>
>       | int-IP
>
>     Intranet
>
> My Provider gives me an official address range 1.1.1.224-239.
> I would like to use for the intranet the 192.168.x.y range.
>
> So I thought, that I would give the dmz-IP the address 1.1.1.224, the
> int-IP 192.168.0.1.
>
> Can I use for the ext-IP also 1.1.1.224 and configure the firewall
> somehow as a bridge? If yes, where do I find more information
> regarding this issue (ifconfig, route commands, kernel configuration)?
> If no, what other options do I have?
>
> Question 2)
> -----------
> Assume that I would like to build a firewall inside of a larger
> network:
>
>    1.1.1.0-255 (excluding .224 - .239)
>
>   eth0| ext-IP
>  +----+-----+
>
>  |          ¦ dmz-IP
>  |   fw     +------- DMZ: 1.1.1.224-239
>  |
>  |          |eth1
>
>  +----------+
>
> So, outside, towards ext-IP, I have all IPs 1.1.1.0-255 excluding .224
> - .239, in the DMZ, I have IPs 1.1.1.224-239
>
> From the point of network configuration, this should work, but I just
> don't know how to set up the ifconfig and route commands in order to
> be able to configure this correctly.
>
> Thanks for reading this!
> Any hints are greatly appreciated
>
> Jan
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux