On Wed, 8 Jul 1998 [EMAIL PROTECTED] wrote: > My goal is to setup a firewall to protect my subnet like this: > > Internet > | > Cisco router (192.12.120.254) > | > Local net 192.12.120.0 netmask 255.255.255.0 > | > FIREWALL eth0 = 192.12.120.190, eth1 = 192.12.120.202 > | > Protected subnet 192.12.120.200 netmask 255.255.255.252 > > This worked fine when I used masqurading and a fake net (192.168.2.0) > but not when I try to use real IP addresses and a subnet. This is the > firewall setup: > > (outside) > eth0: > IP = 192.12.120.190 > Netmask = 255.255.255.0 > Network = 192.12.120.0 > Broadcast = 192.12.120.255 > Gateway = 192.12.120.254 > > (inside) > IP = 192.12.120.202 > Netmask = 255.255.255.252 > Network = 192.12.120.200 > Broadcast = 192.12.120.203 > Gateway = 192.12.120.190
you've got mismatched netmasks on the internal subnet and the external subnet. they won't be able to communicate with each other through the firewall/gateway box because all the machines on eth0 think that they have a full /24 (class C), and that 192.12.120.202/255.255.255.252 is on the local eth0 ethernet, not routed through the fw box. i'm not sure if i'm explaining this very clearly. from the nature of the mistake you've made, i think you need to read up on tcp/ip and on building firewalls before building one. subnetting isn't that difficult but it's easy to make mistakes if you don't understand how it works. unless you've got a good reason not to, stick with using private addresses (192.168.2.0) for your internal network....that makes building the firewall purely a routing and ipfw problem, and avoids the hassle of calculating netmasks. if necessary (e.g. for accounting purposes), you can even route between your external net and your internal 192.168.2.0 net....but then your internal network can be reached if hosts on your external net are compromised. security policies are always a tradeoff between convenience vs. security. > I have tried to turn on arp and promiscus mode but that doesn´t help. > I'm able to ping both the Internet, localnet, and subnet from the > firewall. I'm able to ping the firewall (both addresses) from a host > on the subnet. Using tcpdump I see that when I ping a host from the > subnet to the local net then traffic I forwarded out but not back > to the host on the local net. My ipfw config is set to accept all > traffic. yes, that sounds consistent with messing up the subnetting. it's not an ipfwadm or a routing problem, you have subnetted your IP space incorrectly. craig -- craig sanders -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
