Menu
▾
▴
Re: [IPCop-user] Enabling multiple subnets in orange zone
|
From: John S. <jm...@jm...> - 2004-11-16 19:09:14
|
On Nov 16, 2004, at 11:24, Kyle Hutson wrote: >> >> For an example of what I currently do with Shorewall ... advertise >> my 3 subnets so BGP allows IP packets to into my network > > This one is the killer for IPCop - I don't know of any addons that will > use BGP. (List members, feel free to prove me wrong - I've never needed > to look for one.) if you read his original message, he isn't doing BGP, his ISP is. he owns the class-c blocks, the ISP advertises them on his behalf and routes them to the static IP of his PPPoE connection. BGP is a non-issue for his needs. however, your other points (especially about having so many red IP's) are valid. the best solution here would be to configure the ORANGE segment so that NAT were not being done- the machines in the orange segment would have real IP's in the class-c blocks that he owns, and ipcop would act as a router and packet filter for those machines, rather than a stateful packet inspection engine (which is tied up in the NAT mechanism.) however, ipcop does not support this configuration. this would be a MAJOR change, not just in terms of modifying the scripts and the web interface, but in terms of modifying the basic structure of how ipcop operates. i don't see this happening anytime soon. what you need IS possible with linux and iptables, but ipcop (which is, at its core, a pretty wrapper around iptables) doesn't have THAT much flexibility. don't get me wrong, i'm not putting it down at all- it's just that ipcop has certain limits, and your needs are not within those limits. your best bet would be to install a bare-bones linux machine, shut down all un-needed network services, and write a script to install iptables using the exact rulesets you need. of course, if you're not already intimately familiar with iptables, this may be a bit of a challenge. therefore... > My best advice: look at "Firewall Builder" (http://www.fwbuilder.org/). > It's not a distro like IPCop, but a software package that runs on top > of > any other Linux distro (or OpenBSD). It has a clean interface and is > pretty intuitive. It won't do BGP, so you'll have to install another > package to do that, but it makes the firewall rules easy. putting aside the BGP comment, this is excellent advice. fwbuilder should allow you to set up a machine with the exact iptables rules you need in order to make it all happen. ----------------------------------------------- | John Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <jm...@jm...> | ----------------------------------------------- |
