OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lars Ellenberg (l.g.e_at_web.de)
Date: Wed Aug 21 2002 - 05:33:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    OK, now I am not doing this exactly every day, so I may be wrong,
     but iirc:

    > >how about host routes?
    >
    > I am interested in all your suggestions because I had a similar design
    > problem to that of the OP. How can this work if the NIC that connects
    > to the ISP has to have one of the IP addresses which are part of the
    > whole subnet linked with another NIC on the same machine? (My ISP gave
    > me a separate IP for this purpose.)
    >

    this is ugly, but it should work. ( If I am wrong, shout at me :)

            o.X: official, p.X: private

                                             :p.64---p.Y:private LAN
                                            /
            ISP----router o.1----o.2:firewall:p.1----o.3:DMZ host

    on router:
            default: ISP
            host o.2/32 via o.1
            host o.3/32 via o.2
            host o.4/32 via o.2 etc.
            host o.Proxy for LAN via o.2 ...
      last three lines could be replaced by a normal subnet route,
            net o.0/28 via o.1
      since host routes take precedence, so the subnet route is not active
      for o.2

    on firewall:
            [ LAN normal configuration ]
            defaul: o.1
            host o.1 via o.2
            host o.3 (DMZ) via p.1

    on DMZ:
            default: p.1
            host p.1 via o.3

    > >if you have control over the router yourself, or can talk someone at
    > >your ISP to reconfigure it, my prfered config would be host routes.
    >
    > This is difficult if the ISP won't commit itself to a particular gateway
    > at its end (mine has n routers, where n increases with time).

    maybe I did not understand this question.
    it is the routers job to cope with this, isn't it. regardless of the
    routing at your site, the ISP side is their problem.

    > >if that fails, you can do arp bridging on the firewall.
    >
    > This sounds like a good idea, is it difficult if the firewall is also
    > acting as a router for 2 different subnets and the ISP, though? (As in
    > OP, and my setup!)
    you can turn this on/off by interface.

    > >or use aliases on your firewall outside interface, and use private ips
    > >in the DMZ.
    >
    > If you do this, are all packets transparently routed between the
    > aliases, or do you have to use masquerading, with all the potential
    > protocol problems, and port forwarding?
    of course you have to NAT in this case. may or may not be easy...

    cheers,
            lge 

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here