[TCLUG] RE: [TCLUG:21717] Speaking of DSL [was: Project Idea: ExpectTK to configure Cisco 675's]

Wed Sep 27 12:14:48 CDT 2000

> [...] My question is this: Since my IP address will now be assigned
> to my DSL router _instead_ of my firewall/NAT box, how can I still have my
> firewall act as the firewall for my network?  Obviously, I'm going to put
> it on the line between my router and the rest of my network, and I can
> concieve setting it up as an ethernet bridge or something, but it seems
> like it will be difficult to do the port forwarding I'm doing now.
>
> I suppose I could setup my router to forward to 10.0.0.1:25 (for mail) and
> then have 10.0.0.1:25 forwarded to 10.0.0.2:25 (my mail server).  But it
> seems like a silly extra step.
>
> Has anyone run into a similar situation?
>

This is exactly the setup I have at home.  As I mentioned in another message, I
use the router as a blunt-force kinda firewall -- that is, it runs NAT, and
blocks incoming telnet, portmap and other undesirable connections.

NAT on the 675 is set up to forward *all* not-explicitly-banned traffic straight
to the linux firewall/server (this is the default setup when it's delivered, so
I really just had to add the "ban" rules).  This is more or less transparent --
even though the IP address is really assigned to the outside of the router, it
acts like a direct connection to the outside of the linux box.  The 10.0.0.1
address doesn't enter into it.  That's only important when you're trying to get
from the inside out -- you'll need that to be the linux box's default gateway,
and then all internal boxes will use the linux box as *their* default gw.

The linux box, of course, has two interfaces and is also running NAT (actually,
ipfwadm -- still haven't upgraded to ipchains).  What I wind up with is sort of
a double-firewalled setup.  The webserver winds up in more or less the
traditional "DMZ", except that it's running on the same machine as the second
firewall.

Here's a diagram, where "+" indicates an interface w/ IP address, and "---"
represents wire.

{Internet}---(209.100.555.555)
                    +
               [Cisco 675]
                    +
                (10.0.0.1)--------(10.0.0.2)
                                       +
                             [Linux firewall/server]
                                       +
       {LAN}-------[hub]--------(192.168.10.555)

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org