Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Nov 2001 13:10:19 +0100 (CET)
From:      Michal Mertl <mime@traveller.cz>
To:        questions@freebsd.org
Cc:        GregoryC@stcinc.com
Subject:   Re: Firewall on Qwest DSL Configuration
Message-ID:  <Pine.BSO.4.21.0111011249210.31153-100000@prg.traveller.cz>

next in thread | raw e-mail | index | archive | help
On 31 Oct 2001 Gregory Carvalho wrote:

> I would appreciate feedback on the legitimacy of this proposed
> configuration.
>
> I have obtained a SDSL from Qwest with 5 IP address, 130.120.110.65,
> .66, .67, .68, and .69 with a netmask of 255.255.255.248. The Cisco 678
> MUST be the router connected to Qwest, per Qwest.
>
> Qwest Central Office
>     |
>     | SDSL
>     |
> Cisco 678
>    NIC: 130.120.110.70
>     |
>     | Network 130.120.110.64
>     |
>    NIC (xl0): 130.120.110.69
> FreeBSD Firewall
>    NIC (xl1): 192.168.49.1:255.255.255.0
>    NIC (xl2): 192.168.50.1:255.255.255.0
>
> xl1 is the DMZ
> xl2 is the the office LAN
>
> Now, can I configure a host on xl1 as follows:
>
> ifconfig xl0 inet 192.168.49.2 netmask 255.255.255.0
> ifconfig xl0 alias 130.120.110.69 netmask 255.255.255.248
>
> Do you suppose BIND, Apache, and sendmail will function properly with
> the internet at large with this configuration?

No it wouldn't work. Cisco won't know how to send packets to host on xl1.
You can't easily brake the net 130.120.110.64/29 this way. 

For this to work in this topology, you would have to either bridge the
networks (xl0 xl1 connected) or run proxy-arp on the freebsd machine. I
don't like the idea :-).

Easier would be to get more IP addresses from ISP and ask them to route
some block to 130.120.110.69. You could save some addresses using
130.120.110.64/30 on cisco and xl0 but you would need ISP cooperation and
it would leave you with only one usable address in DMZ.

If you can't get any cooperation from Qwest you could have servers placed
on xl0 network. Of course then you would have to secure all hosts
separately.



On 1 Oct 2001 Gregory Carvalho wrote:
> Clarification to previous post.
>
> "Now, can I configure a host on xl1 as follows:" should read "Now, can I
> configure a host hanging off the wire connected to xl1 as follows:"
>
> As an addition to the previous post, xl1 would have the following
> command executed during boot:
>
> route add -host 130.120.110.65 192.168.49.1
>
> which allows the internet to get to the hosts on 192.168.49.0. As
> 130.120.110.66, .67, and .68 are added, so to will additional route
> statements.

That's nonsense AFAIK.

HTH

-- 
Michal Mertl
mime@traveller.cz









To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0111011249210.31153-100000>