[Fwbuilder-discussion] Question about fwbuilder and 'red' IP's
Brought to you by:
mikehorn
From: Rich D. <rdu...@th...> - 2005-05-19 20:33:14
|
Hi fwbuilders, I'm wanting to replace an old seawall installation with a nice fancy fwbuilder installation (iptables based), but I'm not clear on how to do a couple of things. First, the external network has 32 IP's, from xxx.xxx.xxx.96 to xxx.xxx.xxx.127. .97 is the gateway ethernet device. .100 must answer DNS queries .101 must answer DNS queries I want an internal network, and a DMZ for some servers. Main question - can the firewall be configured in such a way that a computer can have an external IP address, yet still be 'behind' the firewall? I've got to have a machine running on one of the external IP's so that I can run the cisco VPN client, yet I need it to be protected by the firewall. Also, in the current configuration, each web site has been given it's own external IP. I'd like to stick with this idea, but, again, want to have the web server 'behind' the firewall. In order to do so, I would think that the fwbuilder eth0 would have to listen on multiple IP's. On seawall, eth0 = external (xxx.xxx.xxx.96/255.255.255.224) eth1 = internal (192.168.0/255.255.255.0) eth2 = dmz (192.168.1/255.255.255.0) On seawall, there is a file called 'proxyarp', where each machine and it's associated interface are currently defined. In this case, the external ip xxx.xxx.xxx.102 machine is on eth1 (internal network), and the external ip xxx.xxx.xxx.111 machine is on eth2. Through some (unknown to me) magic, the network functions just fine. Lastly, I want to add firewall filtering to the outbound side of the network. Most firewall setups I have seen seem to default to a state that any connection from the inside is automatically granted. I'd like only certain types of connections going out. How might these things be best accomplished with fwbuilder? Many thanks. -- Regards, Rich Current Conditions in Des Moines, IA Scattered Clouds Temp 82.4F Winds out of the West at 17mph |