[lug] Setting up a firewall...

Rich Deeming rdeeming at mcdata.com
Fri Jul 21 11:32:27 MDT 2000 

Brian,

Brian Jarrett wrote:

> Scenario:  Anti-Linux Boss just bought a Linux-based "firewall" for our
> Class C network.  (I think hell is about to freeze over!)  The company
> selling this low-end model is saying that we have to have to use
> "non-routable" IP addresses (reserved addresses like 192.168.x.x) behind the
> firewall.

No you do not have to. It is the best way to do it.

> They are also telling my boss that our web servers, etc. will
> have to be on their own in our Class C network so that the Internet has
> access to them.

Not true either. They do not have to but it is best. What they are saying is
any service you run that accepts connections from the internet should reside
in a DMZ (Demilitarized zone).

>
>
> So it appears that this is the case with this low-end firewall solution.  It
> won't do port forwarding, but it will do NAT.

Using ipchains port redirection is limited. Using masquerading you are
essentially doing NAT.

>  Setup of the firewall seems
> to only allow "non-routable" address on the LAN side of the box.
>
> Question:  Am I wrong, or wouldn't we just be better off setting up our own
> Linux system as a firewall?

It may take some time to make it right if it is your first time. In the long
run you
are much better off.

> Since we have a Class C, I see no reason not to
> use the addresses allocated.

I see little to no reason in making your Class C on the external. I am being a
hypocrite. We have a Class B and our external is the same as our internal. It
makes an interesting yet complicated rule set.

> I would think that we could use the firewall
> to restrict IP traffic to port 80 for our web servers, and so on, but still
> use our Class C which would protect all or machines, not just the
> workstations.
>
> Does anyone have some other suggestions?  I know a lot about TCP/IP, but I'm
> just now getting into the security side of things.  I'll probably end up
> setting up whatever we decide to do.

There is a book called Linux Firewalls by Robert L Ziegler. I would recommend
it.

Rich Deeming

>
>
> Brian
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list