[Fwbuilder-discussion] Question about fwbuilder and 'red' IP's

[Rich D. <rdu...@th...>]

Hi fwbuilders,

I'm wanting to replace an old seawall installation with a nice fancy
fwbuilder installation (iptables based), but I'm not clear on how to do
a couple of things.

First, the external network has 32 IP's, from xxx.xxx.xxx.96 to
xxx.xxx.xxx.127.  

.97 is the gateway ethernet device.
.100 must answer DNS queries
.101 must answer DNS queries

I want an internal network, and a DMZ for some servers.

Main question - can the firewall be configured in such a way that a
computer can have an external IP address, yet still be 'behind' the
firewall?

I've got to have a machine running on one of the external IP's so that I
can run the cisco VPN client, yet I need it to be protected by the
firewall.

Also, in the current configuration, each web site has been given it's
own external IP.  I'd like to stick with this idea, but, again, want to
have the web server 'behind' the firewall.  In order to do so, I would
think that the fwbuilder eth0 would have to listen on multiple IP's.  

On seawall, 
eth0 = external (xxx.xxx.xxx.96/255.255.255.224)
eth1 = internal (192.168.0/255.255.255.0)
eth2 = dmz (192.168.1/255.255.255.0)

On seawall, there is a file called 'proxyarp',  where each machine and
it's associated interface are currently defined.

In this case, the external ip xxx.xxx.xxx.102 machine is on eth1
(internal network), and the external ip xxx.xxx.xxx.111 machine is on
eth2.  Through some (unknown to me) magic, the network functions just
fine.

Lastly, I want to add firewall filtering to the outbound side of the
network.  Most firewall setups I have seen seem to default to a state
that any connection from the inside is automatically granted.  I'd like
only certain types of connections going out.

How might these things be best accomplished with fwbuilder?

Many thanks.

--
Regards,
Rich

Current Conditions in Des Moines, IA
Scattered Clouds
Temp 82.4F
Winds out of the West at 17mph