|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Linux 2.2 Firewall
|
> Okay, here's a question that I can't seem to find an answer for.
>
> My network is a registered class C network. I'm going to use a single
> bastion firewall between the router and the LAN. I want to forward and
> not masquerade (yes, I know masq'ing is more secure, but I think it would
> mess up future plans).
>
> My question is that do I need the two sides of my FW to be two separate
> subnets? I.e. if my router is 192.168.1.1, should the external interface
> of the FW be 192.168.1.2, with a mask of 255.255.255.252, and the internal
> interface be 192.168.1.5, with a mas of... grrr... everything above .4 (I
> can never figure those out).
I've never tried it, but my guess is that Linux won't like it. What you
could do is use RFC1918 space between your router and your Linux box, and
then use your /24 for the private side. Things may look a bit funny when
someone does a traceroute, though, and you may be breaking an RFC or two
by leaking RFC1918 space onto the 'net, but you wouldn't be the first to
do it. (@home has been doing alot of this, lately).
Another option is to explain the problem to your NSP, and ask them to
allocate you an addition /30 (a 255.255.255.252 subnet, which only has
two usable addresses) for the ethernet between your router and firewall.
> Also, should the LAN systems then use the FW or the router for their
> gateway?
Machines on the private side of your firewall should always use the
firewall as their default gateway.
-mct
|
|