Matt Radtke escreveu: > Hello there > > >>> Router (192.168.1.120) <-> (192.168.1.121) >>> >> Firewall PC (192.168.1.122) >> >>> <-> (192.168.1.0/24) LAN >>> >>> Now, thing is, the Linux firewall has two NICs: >>> >>> NIC 1: 192.168.1.121 >>> NIC 2: 192.168.1.122 >>> >>> The two NICs on the Linux box are configured with >>> >> 192.168.1.121 and >> >>> 192.168.1.122, both interfaces on the same subnet. >>> >> 192.168.1.121 acesses >> >>> the company router (192.168.1.120) and >>> >> 192.168.1.122 acesses the company >> >>> LAN (192.168.1.0/24) >>> > > Your Linux box is very like running as a real bridge > (set eth0 and eth1 as a brige) or a fake brige > (running proxy-arp). You could confirm that--I'm > guessing every machine in your LAN has a default gw of > .120, your router? And your router believes that it > is directly connected to your LAN? If not, then > everyone else is right--your network is screwed and > you're lucky it's lasted this long. > > Every machine in our LAN has a default gateway of 192.168.1.122 (not 120) The firewall machine can connect both to the router and to the internal network. I can SSH to the firewall box from any machine in the 192.168.1.0 LAN and of course the firewall box accesses the net through the 192.168.1.120 router. >>> I known we could use a network bridge, but we need >>> >> the caching >> >>> nameserver functionality. >>> > > Setting up a machine to brige does not exclude it from > running as a nameserver, if you must still do this > [0]. > > Off the top of my head, create a bridge with your > $inif and $outif on your replacement machine. Inif > doesn't need to have an IP on it. Bind your > nameserver to outif. Setup your filter rules as you > need them. > > I forgot to mention something - this Linux box is also secondary DNS for some Web domains. Right now, the router forwards DNS packets from outside to 192.168.1.121 (the NIC on firewall box which is connected to the router), and the Linux box serves DNS requests to the outside through the eth0 interface. I'm guessing a bridge can serve DNS to clients on the LAN if we give it an IP (i'm not sure how to do this though), but can it also serve DNS to Internet clients (outside the LAN)? Anyway, i guess a bridge wouldn't be the worst way to go, even if i would have to reconfigure 50 workstations across 3 departments (oh boy) to use 192.168.1.120 instead of 192.168.1.122. I could install a DNS server on IP 192.168.1.121 to take care of DNS.
Anyway, i have a small doubt about the bridge. I'm guessing it would enable transparent access from the LAN to 192.168.1.120 (the router) while allowing us to maintain our filtering rules, that is, the workstations would need to have 192.168.1.120 set as gateway. I hear bridges are not so good when it comes to handling FTP and IRC as a NAT'ing firewall. Is this true, or are there workarounds for this? > -Matt > > ps. Just because something is a bridge doesn't mean > that it can't have IP addresses. > > [0] List, feel free to destroy me if my setup wouldn't > work. 8^) > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
