OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Subnetting, firewall setup
From: Avery Payne (apaynePCFRUIT.COM)
Date: Wed Oct 04 2000 - 10:34:18 CDT


From: "Dave Akins" <dave600PACBELL.NET>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Tuesday, October 03, 2000 4:13 PM
Subject: Subnetting, firewall setup

> I am familiar with using Linux as an IP Masq/gateway box to hook a
> private network to a public IP space. Now I have a new problem...
>
> I have a class C network that I've been given from my ISP. The T-1
> router sits at .1. I would like to set a Linux box up to be the
> firewall for everything in this Class C? Rather than order a smaller
> network to sit between the ISP and the Class C, is there a way I can do
> this with ONLY the Class C? Or am I best off ordering a small 2-host
> network to sit between the T-1 router and the Linux?

Set up a firewall/bridge at .2; tell the firewall/bridge that the default
gateway is (.1); tell all of the other clients *inside* the class C that the
default gateway is the firewall/bridge at (.2) and not the T-1 router;
finally, arrange for all inbound packets to forward from your T-1 (.1) to
your firewall/bridge (.2). Follow up on the firewall/bridge with the new
2.2 "source filter" feature for IP forwarding on your Class C "internal"
interface *only* (not 100% perfect but it does help a little with
anti-spoofing your network - do not use this feature on the interface that
is exposed to the T-1). Be sure to run a routed or gated on your
firewall/bridge, but do not enable any features which would advertise its
presence. Lastly, write up a nice set of IPCHAIN rules to work with
everything (be sure to purposely block access from the internal network to
your T-1, so that people don't attempt to "bypass" your firewall/bridge).

Packets will originate inside the network with a valid address, be forwarded
to the firewall/bridge, the bridge (after inspection) forwards to the T-1,
the T-1 to the public network; packs then come back to the T-1, which
forwards to the firewall/bridge, which in turn routes to the appropriate
client.

This is done off the top of my head, so if I've missed something, please
feel free to pipe up and let me know.