Date: Mon, 04 Nov 1996 08:08:04 -0600 From: Hal Snyder <hal@vailsys.com> To: "Neil C. Jensen" <njensen@salsa.habaneros.com> Cc: "'questions@freebsd.org'" <questions@freebsd.org> Subject: Re: routing / firewall question Message-ID: <327DF8C4.1F01@vailsys.com> References: <01BBC822.97F241A0@ppp01.habaneros.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Neil C. Jensen wrote: > I have 32 IP addresses subnetted from a class C. I presently have the > following setup: > > [ Internet ] <-------------------> Router <-------------------------> real > & virtual servers > ISDN xxx.xxx.xxx.97 ethernet xxx.xxx.xxx.98-126 > > I would like to add a firewall using TIS's fwtk (for telnet and ftp) and > perhaps the CERN HTTP proxy server (or Apache 1.2 proxy when it is > released). The network will then look like: > > ISDN ethernet ethernet > [ Internet ] <-------> Router <--------> Firewall <--------> My machines > > Where I get confused is at the Firewall. My understanding is that the two > network interfaces must be on separate subnets. How can I address the two > interfaces on the firewall and still retain the maximum number of IP > address for the rest of my machines? (I saw some mail in the archives about > using private addresses between the router and firewall, but apparently > this does not work with the proxy servers on the firewall). You get more security if you keep your .96-127 addresses on the perimeter segment (where router and firewall communicate) and assign RFC 1918 IP addresses to your internal LAN nodes. With this approach, there is no direct IP route from the Internet to your internal LAN. Turn off IP forwarding in the firewall and proxy everything between the Internet and your LAN. If you don't want that, then you can further subnet your address block. The sanest way is to split it in half, keeping one half for the router-firewall link segment and the other half for the LAN. You can salvage more addresses by giving, say, addresses .96-99 to the link segment, but you'll need to add an extra routing rule to your LAN hosts. > On a related question, just to make sure I understand this correctly; does > the CERN proxy server reside on the firewall, instead of using fwtk's > http-gw? Yes, all proxy services reside on the firewall(s) in this sort of scheme. About HTTP proxying - squid outperforms CERN by quite a bit. Squid is just a proxy server. If you want to serve your own pages, Apache is more up-to-date than CERN's server. If your pages are for internal use only, I'd run the server somewhere else than on the proxy host.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?327DF8C4.1F01>