All you must do for this is add another NIC to the firewall and simply add
more ipchains rules for the IPs connected to it (remember, you need
different subnets on each interface to facilitate routing). You can even
go as far as dumping $500 for an Adaptec Quartet64 card that has 4 10/100
interfaces on 1 PCI slot so you can have piles of interfaces w/ different
rulesets. The most common use is to put public web/mail/ftp servers on
one zone and keep their "insecure" traffic segregated from the standard
LAN, which can be behind an IPMasq setup on eth2 (very useful if you only
get say a /27 from your provider, and don't have enough IPs to go around
the entire office). You can even go as far as setting up multiple
offices/segments for IPMasq access and denying traffic between the two,
etc.
None of these options require very extensive changes in your ipchains
rules, however for some of them you should look at the -i eth# option for
ipchains (useful in saying block all of this traffic) so you can allow
eth1 to browse the web but eth2 can't, etc.
-R
On Wed, 19 Jan 2000, Jeff Hubbs wrote:
> Using ipchains to make a Linux firewall, people typically dual-home a system
> and put the "unsafe" side on one interface and a "safe" side on the other
> (or at least so goes my dangerously underinformed understanding ;-) )
>
> Is it possible to implement an ipchains firewall such that there is one
> interface on the "unsafe" side and TWO interfaces on two "safe" sides, each
> with its own set of rules?
>
> - Jeff
> --
> To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.
>
--
.----------------- PGP Key: `finger ">gashalot@gashalot.com` -----------------.
| Robert Gash | Work - ">gashalot@fasturl.net |
| Senior Systems Administrator | Personal - ">gashalot@gashalot.com |
| VenerNet Inc -- www.fasturl.net | http://www.gashalot.com |
`---- PGP Key Fprint: E6F3 CACA 9245 786B 7734 2853 D2C7 31D7 80FE 3B51 ----'
--
To unsubscribe: mail ">majordomo@ale.org with "unsubscribe ale" in message body.