[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue May 31 22:29:58 2005 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevfgbcure Tbjyre) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Firewall design -->
- <li><em>date</em>: Tue May 31 22:29:58 2005</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Christopher Fowler)</li>
- <li><em>in-reply-to</em>: <<a href="msg01111.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg01111.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Firewall design</li>
On Tue, 2005-05-31 at 22:13, Jerald Sheets wrote:
> Actually you can. All the configs are under
> /var/ipcop, and you can set the configurations on
> outside access and portfw from the command line. It
> is very sweet.
>
> All FOSS software with reconfigured config file
> locations, fronted by a webserver.
>
> The system is taken from Smoothwall, and was started
> because people were tired of the folks at Smoothwall
> being such jerks in support all the time.
>
> It's a good project (at least for my needs)
>
> --j
>
>
> --- Christopher Fowler <cfowler at outpostsentinel.com>
> wrote:
>
> > This is really cool. The only thing I do not like
> > that others might is
> > that the implementation is hidden away. The nice
> > click GUI will allow
> > anyone to set this up but if something goes screwy I
> > need to be able to
> > dive in with VIM and fix the problem.
> >
> > On Tue, 2005-05-31 at 20:50, Jerald Sheets wrote:
> > > *I* don't. The IPCop software does by design.
> > >
> > > <a rel="nofollow" href="http://www.ipcop.org";>http://www.ipcop.org</a>.
> > >
> > > --j
> > >
> > >
> > > --- Christopher Fowler
> > <cfowler at outpostsentinel.com>
> > > wrote:
> > >
> > > > Why do you alias for all of them?
> > > > It seems like that you have to assign an ip
> > address
> > > > to your ethernet
> > > > interface.
> > > >
> > > >
> > > > On Tue, 2005-05-31 at 16:33, Jerald Sheets
> > wrote:
> > > > > I do that with my IPCop firewall
> > > > (www.ipcop.org)...
> > > > >
> > > > > It uses your primary ethernet (IP's removed
> > for
> > > > safety):
> > > > >
> > > > > eth1 Link encap:Ethernet HWaddr
> > > > XX:XX:XX:XX:XX
> > > > > inet addr:**.**.**.**
> > > > Bcast:**.**.**.** Mask:
> > > > > 255.255.255.248
> > > > > UP BROADCAST RUNNING MTU:1500
> > > > Metric:1
> > > > > RX packets:37973138 errors:0
> > dropped:0
> > > > overruns:0 frame:0
> > > > > TX packets:31729095 errors:0
> > dropped:0
> > > > overruns:0 carrier:0
> > > > > collisions:4922 txqueuelen:1000
> > > > > RX bytes:502443111 (479.1 Mb) TX
> > > > bytes:1688004962 (1609.8
> > > > > Mb)
> > > > > Interrupt:5 Base address:0x250
> > > > Memory:c0000-c2000
> > > > >
> > > > > It aliases the rest of the IP's I was given by
> > > > Speedfactory, and
> > > > > IPCop answers for all of them. I then use
> > ipfw to
> > > > send the two DNS
> > > > > servers to the right internal boxes, and
> > whatever
> > > > is on my DMZ. When
> > > > > configured, those look like so:
> > > > >
> > > > >
> > > > > eth1:0 Link encap:Ethernet HWaddr
> > > > 00:E0:29:49:BA:C9
> > > > > inet addr:**.**.**.**
> > > > Bcast:**.**.**.** Mask:
> > > > > 255.255.255.248
> > > > > UP BROADCAST RUNNING MTU:1500
> > > > Metric:1
> > > > > Interrupt:5 Base address:0x250
> > > > Memory:c0000-c2000
> > > > >
> > > > > eth1:1 Link encap:Ethernet HWaddr
> > > > 00:E0:29:49:BA:C9
> > > > > inet addr:**.**.**.**
> > > > Bcast:**.**.**.** Mask:
> > > > > 255.255.255.248
> > > > > UP BROADCAST RUNNING MTU:1500
> > > > Metric:1
> > > > > Interrupt:5 Base address:0x250
> > > > Memory:c0000-c2000
> > > > >
> > > > > eth1:2 Link encap:Ethernet HWaddr
> > > > 00:E0:29:49:BA:C9
> > > > > inet addr:**.**.**.**
> > > > Bcast:**.**.**.** Mask:
> > > > > 255.255.255.248
> > > > > UP BROADCAST RUNNING MTU:1500
> > > > Metric:1
> > > > > Interrupt:5 Base address:0x250
> > > > Memory:c0000-c2000
> > > > >
> > > > > eth1:3 Link encap:Ethernet HWaddr
> > > > 00:E0:29:49:BA:C9
> > > > > inet addr:**.**.**.**
> > > > Bcast:**.**.**.** Mask:
> > > > > 255.255.255.248
> > > > > UP BROADCAST RUNNING MTU:1500
> > > > Metric:1
> > > > > Interrupt:5 Base address:0x250
> > > > Memory:c0000-c2000
> > > > >
> > > > > the inet address in each case is one of the 5
> > > > consecutives given me
> > > > > by SF.
> > > > >
> > > > > As you can probably tell at this point, I'm a
> > huge
> > > > proponent of
> > > > > IPCop. It's easy to set up, and uses
> > commodity
> > > > hardware. I love it.
> > > > >
> > > > >
> > > > >
> > > > > Jerald M. Sheets jr.
> > > > > Sr. UNIX Systems Administrator
> > > > > McKesson, Inc.
> > > > > 404.293.8762
> > > > >
> > > > >
> > > > > On May 31, 2005, at 3:30 PM, Christopher
> > Fowler
> > > > wrote:
> > > > >
> > > > > > Typically all the firewall's that I've used
> > have
> > > > been the MASQ type.
> > > > > > I've received one public IP address and
> > placed
> > > > that on eth0 and
> > > > > > eth1 is
> > > > > > a private on a 192.168.2.X.
> > > > > >
> > > > > > I am looking at expanding the number of
> > public
> > > > IP's from 1 to 5. I
> > > > > > have
> > > > > > a question as to how this is configured. If
> > my
> > > > GDuo from SF
> > > > > > connects via
> > > > > > a crossover cable to my firewall how do I
> > get
> > > > the remaining 4 public
> > > > > > IP's available to the other devices? Do I
> > > > somehow make them available
> > > > > > on eth1?
> > > > > >
> > > > > > One setup I'm looking at colocating some
> > servers
> > > > at E-Deltacomm. They
> > > > > > will give me 16 public IPs and I want them
> > to
> > > > only go through one
> > > > > > Linux
> > > > > > firewall. This was easy when that firewall
> > was
> > > > also the gateway.
> > > > > >
> > > > > > I guess when I do get the 16 ips they'll
> > give me
> > > > the gw address, the
> > > > > > subnet mask and network address. I could
> > simply
> > > > plug their network
> > > > > > cable into a Cisco switch and then have 16
> > > > servers attached to but
> > > > > > then
> > > > > > they would all be vulnerable to the public
> > > > network. Is there a way I
> > > > > > can plug a Linux box between E-Deltacomm and
> > my
> > > > Cisco switch and
> > > > > > have it
> > > > > > do filtering but not have an IP address on
> > > > either eth0 or eth1. This
> > > > > > could be an invisible inline firewall thingy
> > :)
> > > > > >
> > > > > > Chris
> > > > > >
> > > > > >
> > > > > >
> > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > > >
> > > >
> > > >
> >
> >
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="01111" href="msg01111.html">[ale] Firewall design</a></strong>
<ul><li><em>From:</em> jsheets at yahoo.com (Jerald Sheets)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg01111.html">[ale] Firewall design</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg01111.html">[ale] Firewall design</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg01096.html">[ale] Firewall design</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#01112"><strong>Date</strong></a></li>
<li><a href="threads.html#01112"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>