See inline...jc Thusly Thwacked By Davy Gigan: > Marco Tassinari writes: > > > > > > Hallo, > > I wonder what is the best solution for security in this ascii-art > > network: > > > > > > [router] > > | > > [let's call it firewall even if it's not one for the moment] > > | > > +--------------|-------------|----....----| > > | | | | > > [server] [PC] [PC] [PC] > > > > > > The toplogy is untouchable: this is a marketing request. > > In the empty space I put my firewall: a filter and proxy (squid) > > server, debian potato with kernel 2.2.19, ipchains made. > > It seems a good solution to me. > Hum, it seems to be good, but you should take great care this machine > would become your main headache for security purposes. Evidence is > all your connected pc are in local subnets and router is configured > to drop any local subnet paquets attempting to go out. > > > The trouble is a preimposted NAT table in the router: the unique > > external IP is remapped to the internal address of the server. > Maybe you could give server's address to firewall ;-) Then you don't > have to touch router's configuration.
I second this suggestion. If your firewall is the address of your server, you could set it to only pass connections to the server that have destination=firewall and specified ports for the allowed services. I assume the route is doing a direct mapping 1:1 NAT, no port address transation for the server and dynamic M:1 or M:N NAT for the PC population. > > > I don't know how to say the router 'route add default gw firewall'... > You should never do that since i suppose router is your external access, > default > route must be another router ... But you can tell router to redirect all stuff > for server to firewall. Agreed. > > > and my manager said: <<router is preferibly not to modify>>. > He could just change router's configuration to whatever you choose for > firewall address > and remap all public traffic (filtering all you dont need) to your firewall. > Then configuring > your firewall would act as you configuring the router directly, except there > is another > gate beetween you and the wild wild internet. It's a good thing. Anyway, for > more > security, you should try to configure your router to drop all incomming > connection > on critical services running on firewall Your manager is a 'tard if he/she doesn't think the router is part of the security solution. Sounds like he/she needs some educating by you. > > > > > So i thougth: > > > > First solution: to make the firewall be a bridge for incoming > > connections to the server, and normal filter+proxy for > > outgoing ones. It seems not so good to me. > > > > Or: to make the firewall use a 2.4.5 kernel, and use NAT iptable to > > redirect in some way the router --> server connection. I think (but > > I'm not sure) it should work. It costs a lot to me in upgrading to > > iptables. > They're not so different and some existing tools do convert your old rules to > the new iptables ones. You can also keep ipchains compatibility within your > 2.4 kernel (i've never tested it, but i undestood was possible) > > Last thing, your two solutions are nearly the same solution, making your > firewall a bridge for server's connections reflects it acts as a nat for > servers address, you can do it with ipchains / iptables. > > see nat and port forwarding howtos for a complete explaination ... > > > > > > What do you suggest? > As a conclusion, you'll ask your manager to modify router's configuration > anyway. > > > Thanks!, Marco > > Regards. > > -- > Davy Gigan > System & Network Administration > University Of Caen (France)
