Koala wrote: > on a HUB. Their IP Addresses are 1.1.1.1/24 . My idea, was, to have Network C > going > through a default gateway of 1.1.1.1 (Debian with ipchains) where the second > interface card goes to the normal network B (10.10.10.1) Therefore, Netwrok C > can > see Network B, but Network B canĀ“t access Network C. So, the ipchains box for > network C would have two ethernet cards with the following configuration :
You're a bit unclear about 'A', but if all you have is: +---+ +---+ | B | - - - FW - - - | C | +---+ +---+ | | | (Internet) And you want stuff from 'C' to get to both A and B, but nothing from A or B to get to C, set the firewall to have the same default gw as those machines in net B, and those in C to have their gateway be the firewall. Put everything in C in its own IP address space. Now, the rules themselves can be simple or hard. If you want simple, you may be able to get away with just disallowing anything from network B with a 'syn' flag set, and that's it. If you have sensitive data (stuff you need a security clearance to get access to) you'll have to go full bore. Either way, just treat network 'B' as though it were the internet (hostile) and disregard the internet itself. Just remember that the internet is a connection of networks, and network C connects to it via network B; just like network B connects via your ISP. Christopher
