[ale] Firewall design
Stuffed Crust
pizza at shaftnet.org
Wed Jun 1 08:11:52 EDT 2005
On Tue, May 31, 2005 at 10:19:44PM -0400, Christopher Fowler wrote:
> What ever I do my plan is to create the firewall as a bridging firewall
> with _no_ address. The only access will be via serial console. We'll
> install a console management device at the remote site so I will have to
> access it first remotely before I can connect to the console on the
> firewall to config or make changes.
This limits its effectiveness somewhat, as you'll be forced to use
ebtables instead of iptables, which has a much smaller functionality
set. This is because when bridging the IP traffic never actually hits
the interfaces, thus the standard INPUT/FORWARD/OUTPUT rules never
apply. And NAT will certianly have to be handled by another machine;
one with actual IP addresses configured.
Is there any reason you don't do the following:
ISP ---- [ NID box ] ------ SERVER1 [nat] --- INTERNAL network
|--- SERVER2
|--- SERVER3
|--- SERVER4
|----SERVER5
Granted, this way you end up needing to configure firewalls on each
machine. You could [transparently] insert your bridge firewall machine
after the NID box much like you need a hub or switch there anyway.
The above illustration is how I have things set up at work, and if
bright house networks didn't want $80/month more for multiple IPs, at
home as well. Each SERVER has its own firewall configured, and SERVER1
does NAT for the internal private network.
- Pizza
--
Solomon Peachy ICQ: 1318344
Melbourne, FL JID: pitha at myjabber.net
Quidquid latine dictum sit, altum viditur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
More information about the Ale
mailing list