Webmaster Elaconta wrote:
I'm not looking forward to addressing the router to a different subnet
(and i know that would solve the problem) because our Internet-facing
servers are connected directly to that router in DMZ fashion (the router
forwards ports to them). The firewall is also connected directly to that
router and the LAN is in turn connected to the firewall. Changing the
subnet on the router would mean we would have to reconfigure a number of
Internet services which sort of depend on the 192.168.1.x network
configuration.
Now, if you know how to do what I want with OpenBSD, i would love to hear
it.
You can configure OBSD to be a transparent bridge, as people here have
told you. Setting up bridging is pretty simple, I did it in an afternoon
for a test env. Having a system conf-ed to bridge does not preclude an
IP or running services. Read the bridge and brconfig man pages, that
will get you going you can find the man pages
http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running system.
After listening to the solution, i can then judge for myself if the
solution works. Even if we maintain the "broken" architecture for a
while - i'm not even sure if it is that broken, since it worked for
years without a squeak - at least we'll have a secure OS running it.
A better way to config may be to run your fw as out_if= 192.168.1.121
in_if=192.168.2.1
Nat your pcs behind 192.168.1.121
change the default gw of your pcs to be 192.168.2.1 and continue life
fairly close to what you consider to be normal.
If its not something you can get to perhaps you could hire someone to
set it up, Jason Dixon monitors this list he consults and seems to be
pretty sharp.
Trust them however when they say your configuration is broken.
People with heart murmurs pump blood for a long while, but are often
eventually betrayed by their hearts.
working( today && yesterday ) != { working( tomorrow ) || good_idea(1) };
--------------------------------------
Elaconta.com webmaster
--------------------------------------
Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu:
elaconta.com Webmaster wrote:
Howdy
We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs
which serves as a firewall for our LAN and runs a Bind caching nameserver.
Although the machine is getting old, it still works well. Thing is, i'm
having a hard time trying to reproduce it, that is, getting another PC
to do exactly the same thing this PC is doing. It was configured by a
guy that left the company, so i can't simply ask him how he configured
it configured.
It's a precautionary measure, if the machine breaks down we need another
one to go in its place.
Yes You Do.
So while am at it i would love to replace the crusty old thing with a
new one running OpenBSD.
The networking scheme is:
Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
<-> (192.168.1.0/24) LAN
Now, thing is, the Linux firewall has two NICs:
NIC 1: 192.168.1.121
NIC 2: 192.168.1.122
The two NICs on the Linux box are configured with 192.168.1.121 and
192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses
the company router (192.168.1.120) and 192.168.1.122 acesses the company
LAN (192.168.1.0/24)
From what i've googled, this shouldn't even be possible, everything is
on the same subnet. Regardless, it works great, and if i went and got an
OpenBSD rig to replace the old Linux rig, it would have to retain this
networking scheme, we can't afford to reconfigure the entire network
just for switching our firewall.
NO, you can't afford to avoid switching your firewall because of a
misconfigured network.
Your network is broke NOW. If that old box dies or gets rooted (if it
hasn't been already), you will be looking at a lot bigger problems than
renumbering a network.
I known we could use a network bridge, but we need the caching
nameserver functionality.
Not everything has to be in one box. I don't know how big your company
is, but I'm sure you have spare boxes lying around you can use as a DNS
resolver/server. Split the task up if you need to. Or..put an IP
address on one leg of the bridge. Lots of options.
I'm an all round Unix guy, but i'm a bit green on the routing departament.
Can an OpenBSD box be configured the same way the Linux box is so it can
be a drop-in replacement for the Linux box? I can of course depict in
further detail the configuration of the Linux box (netstat -r to show
the routes, ifconfig or whatever).
If your network is dependent upon strange tricks, it is misconfigured.
If you can't pull one part out and replace it with another one, it is
misconfigured. You should be able to chose the components that serve
you best, not "live with the only thing that works".
It is better to fix this on your schedule than to react to a disaster
when it happens (note use of the word "when"...)
Keep in mind...rather than renumbering your internal network, you can
just re-address your router to a different subnet, then you can put a
standard network configuration in place, ta-da, problem solved.
(ew, ick. I might have just thought of how to do what you want with
OpenBSD, but the basic idea is so wrong, I don't want to do anything to
encourage you to do anything other than FIX YOUR NETWORK PROPERLY).
Nick.