[ale] Firewall design

Christopher Fowler cfowler at outpostsentinel.com
Tue May 31 21:28:56 EDT 2005 

This is really cool.  The only thing I do not like that others might is
that the implementation is hidden away.  The nice click GUI will allow
anyone to set this up but if something goes screwy I need to be able to
dive in with VIM and fix the problem.

On Tue, 2005-05-31 at 20:50, Jerald Sheets wrote:
> *I* don't.  The IPCop software does by design.  
> 
> http://www.ipcop.org.
> 
> --j
> 
> 
> --- Christopher Fowler <cfowler at outpostsentinel.com>
> wrote:
> 
> > Why do you alias for all of them? 
> > It seems like that you have to assign an ip address
> > to your ethernet
> > interface.
> > 
> > 
> > On Tue, 2005-05-31 at 16:33, Jerald Sheets wrote:
> > > I do that with my IPCop firewall
> > (www.ipcop.org)...
> > > 
> > > It uses your primary ethernet (IP's removed for
> > safety):
> > > 
> > > eth1      Link encap:Ethernet  HWaddr
> > XX:XX:XX:XX:XX
> > >            inet addr:**.**.**.** 
> > Bcast:**.**.**.**  Mask: 
> > > 255.255.255.248
> > >            UP BROADCAST RUNNING  MTU:1500 
> > Metric:1
> > >            RX packets:37973138 errors:0 dropped:0
> > overruns:0 frame:0
> > >            TX packets:31729095 errors:0 dropped:0
> > overruns:0 carrier:0
> > >            collisions:4922 txqueuelen:1000
> > >            RX bytes:502443111 (479.1 Mb)  TX
> > bytes:1688004962 (1609.8  
> > > Mb)
> > >            Interrupt:5 Base address:0x250
> > Memory:c0000-c2000
> > > 
> > > It aliases the rest of the IP's I was given by
> > Speedfactory, and  
> > > IPCop answers for all of them.  I then use ipfw to
> > send the two DNS  
> > > servers to the right internal boxes, and whatever
> > is on my DMZ.  When  
> > > configured, those look like so:
> > > 
> > > 
> > > eth1:0    Link encap:Ethernet  HWaddr
> > 00:E0:29:49:BA:C9
> > >            inet addr:**.**.**.** 
> > Bcast:**.**.**.**  Mask: 
> > > 255.255.255.248
> > >            UP BROADCAST RUNNING  MTU:1500 
> > Metric:1
> > >            Interrupt:5 Base address:0x250
> > Memory:c0000-c2000
> > > 
> > > eth1:1    Link encap:Ethernet  HWaddr
> > 00:E0:29:49:BA:C9
> > >            inet addr:**.**.**.** 
> > Bcast:**.**.**.**  Mask: 
> > > 255.255.255.248
> > >            UP BROADCAST RUNNING  MTU:1500 
> > Metric:1
> > >            Interrupt:5 Base address:0x250
> > Memory:c0000-c2000
> > > 
> > > eth1:2    Link encap:Ethernet  HWaddr
> > 00:E0:29:49:BA:C9
> > >            inet addr:**.**.**.** 
> > Bcast:**.**.**.**  Mask: 
> > > 255.255.255.248
> > >            UP BROADCAST RUNNING  MTU:1500 
> > Metric:1
> > >            Interrupt:5 Base address:0x250
> > Memory:c0000-c2000
> > > 
> > > eth1:3    Link encap:Ethernet  HWaddr
> > 00:E0:29:49:BA:C9
> > >            inet addr:**.**.**.** 
> > Bcast:**.**.**.**  Mask: 
> > > 255.255.255.248
> > >            UP BROADCAST RUNNING  MTU:1500 
> > Metric:1
> > >            Interrupt:5 Base address:0x250
> > Memory:c0000-c2000
> > > 
> > > the inet address in each case is one of the 5
> > consecutives given me  
> > > by SF.
> > > 
> > > As you can probably tell at this point, I'm a huge
> > proponent of  
> > > IPCop.  It's easy to set up, and uses commodity
> > hardware.  I love it.
> > > 
> > > 
> > > 
> > > Jerald M. Sheets jr.
> > > Sr. UNIX Systems Administrator
> > > McKesson, Inc.
> > > 404.293.8762
> > > 
> > > 
> > > On May 31, 2005, at 3:30 PM, Christopher Fowler
> > wrote:
> > > 
> > > > Typically all the firewall's that I've used have
> > been the MASQ type.
> > > > I've received one public IP address and placed
> > that on eth0 and  
> > > > eth1 is
> > > > a private on a 192.168.2.X.
> > > >
> > > > I am looking at expanding the number of public
> > IP's from 1 to 5. I  
> > > > have
> > > > a question as to how this is configured. If my
> > GDuo from SF  
> > > > connects via
> > > > a crossover cable to my firewall how do I get
> > the remaining 4 public
> > > > IP's available to the other devices?  Do I
> > somehow make them available
> > > > on eth1?
> > > >
> > > > One setup I'm looking at colocating some servers
> > at E-Deltacomm.  They
> > > > will give me 16 public IPs and I want them to
> > only go through one  
> > > > Linux
> > > > firewall.  This was easy when that firewall was
> > also the gateway.
> > > >
> > > > I guess when I do get the 16 ips they'll give me
> > the gw address, the
> > > > subnet mask and network address.  I could simply
> > plug their network
> > > > cable into a Cisco switch and then have 16
> > servers attached to but  
> > > > then
> > > > they would all be vulnerable to the public
> > network.  Is there a way I
> > > > can plug a Linux box between E-Deltacomm and my
> > Cisco switch and  
> > > > have it
> > > > do filtering but not have an IP address on
> > either eth0 or eth1.  This
> > > > could be an invisible inline firewall thingy :)
> > > >
> > > > Chris
> > > >
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > 
> >

More information about the Ale mailing list