[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]





 "http://www.w3.org/TR/html4/loose.dtd">

<li>date: Tue May 31 21:28:56 2005</li>
<li>from: cfowler at outpostsentinel.com (Christopher Fowler)</li>
<li>in-reply-to: <<a href="msg01107.html">[email protected]</a>></li>
<li>references: <<a href="msg01107.html">[email protected]</a>></li>
<li>subject: [ale] Firewall design</li>

On Tue, 2005-05-31 at 20:50, Jerald Sheets wrote:
&gt; *I* don't.  The IPCop software does by design.  
&gt; 
&gt; <a  rel="nofollow" href="http://www.ipcop.org";>http://www.ipcop.org</a>.
&gt; 
&gt; --j
&gt; 
&gt; 
&gt; --- Christopher Fowler &lt;cfowler at outpostsentinel.com&gt;
&gt; wrote:
&gt; 
&gt; &gt; Why do you alias for all of them? 
&gt; &gt; It seems like that you have to assign an ip address
&gt; &gt; to your ethernet
&gt; &gt; interface.
&gt; &gt; 
&gt; &gt; 
&gt; &gt; On Tue, 2005-05-31 at 16:33, Jerald Sheets wrote:
&gt; &gt; &gt; I do that with my IPCop firewall
&gt; &gt; (www.ipcop.org)...
&gt; &gt; &gt; 
&gt; &gt; &gt; It uses your primary ethernet (IP's removed for
&gt; &gt; safety):
&gt; &gt; &gt; 
&gt; &gt; &gt; eth1      Link encap:Ethernet  HWaddr
&gt; &gt; XX:XX:XX:XX:XX
&gt; &gt; &gt;            inet addr:**.**.**.** 
&gt; &gt; Bcast:**.**.**.**  Mask: 
&gt; &gt; &gt; 255.255.255.248
&gt; &gt; &gt;            UP BROADCAST RUNNING  MTU:1500 
&gt; &gt; Metric:1
&gt; &gt; &gt;            RX packets:37973138 errors:0 dropped:0
&gt; &gt; overruns:0 frame:0
&gt; &gt; &gt;            TX packets:31729095 errors:0 dropped:0
&gt; &gt; overruns:0 carrier:0
&gt; &gt; &gt;            collisions:4922 txqueuelen:1000
&gt; &gt; &gt;            RX bytes:502443111 (479.1 Mb)  TX
&gt; &gt; bytes:1688004962 (1609.8  
&gt; &gt; &gt; Mb)
&gt; &gt; &gt;            Interrupt:5 Base address:0x250
&gt; &gt; Memory:c0000-c2000
&gt; &gt; &gt; 
&gt; &gt; &gt; It aliases the rest of the IP's I was given by
&gt; &gt; Speedfactory, and  
&gt; &gt; &gt; IPCop answers for all of them.  I then use ipfw to
&gt; &gt; send the two DNS  
&gt; &gt; &gt; servers to the right internal boxes, and whatever
&gt; &gt; is on my DMZ.  When  
&gt; &gt; &gt; configured, those look like so:
&gt; &gt; &gt; 
&gt; &gt; &gt; 
&gt; &gt; &gt; eth1:0    Link encap:Ethernet  HWaddr
&gt; &gt; 00:E0:29:49:BA:C9
&gt; &gt; &gt;            inet addr:**.**.**.** 
&gt; &gt; Bcast:**.**.**.**  Mask: 
&gt; &gt; &gt; 255.255.255.248
&gt; &gt; &gt;            UP BROADCAST RUNNING  MTU:1500 
&gt; &gt; Metric:1
&gt; &gt; &gt;            Interrupt:5 Base address:0x250
&gt; &gt; Memory:c0000-c2000
&gt; &gt; &gt; 
&gt; &gt; &gt; eth1:1    Link encap:Ethernet  HWaddr
&gt; &gt; 00:E0:29:49:BA:C9
&gt; &gt; &gt;            inet addr:**.**.**.** 
&gt; &gt; Bcast:**.**.**.**  Mask: 
&gt; &gt; &gt; 255.255.255.248
&gt; &gt; &gt;            UP BROADCAST RUNNING  MTU:1500 
&gt; &gt; Metric:1
&gt; &gt; &gt;            Interrupt:5 Base address:0x250
&gt; &gt; Memory:c0000-c2000
&gt; &gt; &gt; 
&gt; &gt; &gt; eth1:2    Link encap:Ethernet  HWaddr
&gt; &gt; 00:E0:29:49:BA:C9
&gt; &gt; &gt;            inet addr:**.**.**.** 
&gt; &gt; Bcast:**.**.**.**  Mask: 
&gt; &gt; &gt; 255.255.255.248
&gt; &gt; &gt;            UP BROADCAST RUNNING  MTU:1500 
&gt; &gt; Metric:1
&gt; &gt; &gt;            Interrupt:5 Base address:0x250
&gt; &gt; Memory:c0000-c2000
&gt; &gt; &gt; 
&gt; &gt; &gt; eth1:3    Link encap:Ethernet  HWaddr
&gt; &gt; 00:E0:29:49:BA:C9
&gt; &gt; &gt;            inet addr:**.**.**.** 
&gt; &gt; Bcast:**.**.**.**  Mask: 
&gt; &gt; &gt; 255.255.255.248
&gt; &gt; &gt;            UP BROADCAST RUNNING  MTU:1500 
&gt; &gt; Metric:1
&gt; &gt; &gt;            Interrupt:5 Base address:0x250
&gt; &gt; Memory:c0000-c2000
&gt; &gt; &gt; 
&gt; &gt; &gt; the inet address in each case is one of the 5
&gt; &gt; consecutives given me  
&gt; &gt; &gt; by SF.
&gt; &gt; &gt; 
&gt; &gt; &gt; As you can probably tell at this point, I'm a huge
&gt; &gt; proponent of  
&gt; &gt; &gt; IPCop.  It's easy to set up, and uses commodity
&gt; &gt; hardware.  I love it.
&gt; &gt; &gt; 
&gt; &gt; &gt; 
&gt; &gt; &gt; 
&gt; &gt; &gt; Jerald M. Sheets jr.
&gt; &gt; &gt; Sr. UNIX Systems Administrator
&gt; &gt; &gt; McKesson, Inc.
&gt; &gt; &gt; 404.293.8762
&gt; &gt; &gt; 
&gt; &gt; &gt; 
&gt; &gt; &gt; On May 31, 2005, at 3:30 PM, Christopher Fowler
&gt; &gt; wrote:
&gt; &gt; &gt; 
&gt; &gt; &gt; &gt; Typically all the firewall's that I've used have
&gt; &gt; been the MASQ type.
&gt; &gt; &gt; &gt; I've received one public IP address and placed
&gt; &gt; that on eth0 and  
&gt; &gt; &gt; &gt; eth1 is
&gt; &gt; &gt; &gt; a private on a 192.168.2.X.
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt; I am looking at expanding the number of public
&gt; &gt; IP's from 1 to 5. I  
&gt; &gt; &gt; &gt; have
&gt; &gt; &gt; &gt; a question as to how this is configured. If my
&gt; &gt; GDuo from SF  
&gt; &gt; &gt; &gt; connects via
&gt; &gt; &gt; &gt; a crossover cable to my firewall how do I get
&gt; &gt; the remaining 4 public
&gt; &gt; &gt; &gt; IP's available to the other devices?  Do I
&gt; &gt; somehow make them available
&gt; &gt; &gt; &gt; on eth1?
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt; One setup I'm looking at colocating some servers
&gt; &gt; at E-Deltacomm.  They
&gt; &gt; &gt; &gt; will give me 16 public IPs and I want them to
&gt; &gt; only go through one  
&gt; &gt; &gt; &gt; Linux
&gt; &gt; &gt; &gt; firewall.  This was easy when that firewall was
&gt; &gt; also the gateway.
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt; I guess when I do get the 16 ips they'll give me
&gt; &gt; the gw address, the
&gt; &gt; &gt; &gt; subnet mask and network address.  I could simply
&gt; &gt; plug their network
&gt; &gt; &gt; &gt; cable into a Cisco switch and then have 16
&gt; &gt; servers attached to but  
&gt; &gt; &gt; &gt; then
&gt; &gt; &gt; &gt; they would all be vulnerable to the public
&gt; &gt; network.  Is there a way I
&gt; &gt; &gt; &gt; can plug a Linux box between E-Deltacomm and my
&gt; &gt; Cisco switch and  
&gt; &gt; &gt; &gt; have it
&gt; &gt; &gt; &gt; do filtering but not have an IP address on
&gt; &gt; either eth0 or eth1.  This
&gt; &gt; &gt; &gt; could be an invisible inline firewall thingy :)
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt; Chris
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt;
&gt; &gt; &gt; &gt; _______________________________________________
&gt; &gt; &gt; &gt; Ale mailing list
&gt; &gt; &gt; &gt; Ale at ale.org
&gt; &gt; &gt; &gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt; &gt; &gt; &gt;
&gt; &gt; 
&gt; &gt; 


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="01111" href="msg01111.html">[ale] Firewall design</a></strong>
<ul><li><em>From:</em> jsheets at yahoo.com (Jerald Sheets)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="01107" href="msg01107.html">[ale] Firewall design</a></strong>
<ul><li><em>From:</em> jsheets at yahoo.com (Jerald Sheets)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg01107.html">[ale] Firewall design</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg01109.html">[ale] USB external HDD</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg01107.html">[ale] Firewall design</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg01111.html">[ale] Firewall design</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#01108"><strong>Date</strong></a></li>
<li><a href="threads.html#01108"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>

Prev by Date: [no subject]
Next by Date: [no subject]
Previous by thread: [no subject]
Next by thread: [no subject]
Index(es):
- Date
- Thread