Dag Richards escreveu: > Webmaster Elaconta wrote: >> I'm not looking forward to addressing the router to a different subnet >> (and i know that would solve the problem) because our Internet-facing >> servers are connected directly to that router in DMZ fashion (the router >> forwards ports to them). The firewall is also connected directly to that >> router and the LAN is in turn connected to the firewall. Changing the >> subnet on the router would mean we would have to reconfigure a number of >> Internet services which sort of depend on the 192.168.1.x network >> configuration. >> >> Now, if you know how to do what I want with OpenBSD, i would love to >> hear >> it. > > You can configure OBSD to be a transparent bridge, as people here have > told you. Setting up bridging is pretty simple, I did it in an > afternoon for a test env. Having a system conf-ed to bridge does not > preclude an IP or running services. Read the bridge and brconfig man > pages, that will get you going you can find the man pages > http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running > system. > > > After listening to the solution, i can then judge for myself if the >> solution works. Even if we maintain the "broken" architecture for a >> while - i'm not even sure if it is that broken, since it worked for >> years without a squeak - at least we'll have a secure OS running it. > > > A better way to config may be to run your fw as out_if= 192.168.1.121 > in_if=192.168.2.1 > > Nat your pcs behind 192.168.1.121 > change the default gw of your pcs to be 192.168.2.1 and continue life > fairly close to what you consider to be normal. > > If its not something you can get to perhaps you could hire someone to > set it up, Jason Dixon monitors this list he consults and seems to be > pretty sharp. > > Trust them however when they say your configuration is broken. > People with heart murmurs pump blood for a long while, but are often > eventually betrayed by their hearts. > > > working( today && yesterday ) != { working( tomorrow ) || good_idea(1) }; > > >> >> -------------------------------------- >> Elaconta.com webmaster >> -------------------------------------- >> >> Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu: >> >>> elaconta.com Webmaster wrote: >>>> Howdy >>>> >>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two >>>> NICs >>>> which serves as a firewall for our LAN and runs a Bind caching >>>> nameserver. >>>> Although the machine is getting old, it still works well. Thing is, >>>> i'm >>>> having a hard time trying to reproduce it, that is, getting another PC >>>> to do exactly the same thing this PC is doing. It was configured by a >>>> guy that left the company, so i can't simply ask him how he configured >>>> it configured. >>>> It's a precautionary measure, if the machine breaks down we need >>>> another >>>> one to go in its place. >>> Yes You Do. >>> >>>> So while am at it i would love to replace the crusty old thing with a >>>> new one running OpenBSD. >>>> The networking scheme is: >>>> >>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >>>> <-> (192.168.1.0/24) LAN >>>> >>>> Now, thing is, the Linux firewall has two NICs: >>>> >>>> NIC 1: 192.168.1.121 >>>> NIC 2: 192.168.1.122 >>>> >>>> The two NICs on the Linux box are configured with 192.168.1.121 and >>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 >>>> acesses >>>> the company router (192.168.1.120) and 192.168.1.122 acesses the >>>> company >>>> LAN (192.168.1.0/24) >>>> From what i've googled, this shouldn't even be possible, everything is >>>> on the same subnet. Regardless, it works great, and if i went and >>>> got an >>>> OpenBSD rig to replace the old Linux rig, it would have to retain this >>>> networking scheme, we can't afford to reconfigure the entire network >>>> just for switching our firewall. >>> NO, you can't afford to avoid switching your firewall because of a >>> misconfigured network. >>> >>> Your network is broke NOW. If that old box dies or gets rooted (if it >>> hasn't been already), you will be looking at a lot bigger problems than >>> renumbering a network. >>> >>>> I known we could use a network bridge, but we need the caching >>>> nameserver functionality. >>> Not everything has to be in one box. I don't know how big your company >>> is, but I'm sure you have spare boxes lying around you can use as a DNS >>> resolver/server. Split the task up if you need to. Or..put an IP >>> address on one leg of the bridge. Lots of options. >>> >>>> I'm an all round Unix guy, but i'm a bit green on the routing >>>> departament. >>>> >>>> Can an OpenBSD box be configured the same way the Linux box is so >>>> it can >>>> be a drop-in replacement for the Linux box? I can of course depict in >>>> further detail the configuration of the Linux box (netstat -r to show >>>> the routes, ifconfig or whatever). >>> If your network is dependent upon strange tricks, it is misconfigured. >>> If you can't pull one part out and replace it with another one, it is >>> misconfigured. You should be able to chose the components that serve >>> you best, not "live with the only thing that works". >>> >>> It is better to fix this on your schedule than to react to a disaster >>> when it happens (note use of the word "when"...) >>> >>> Keep in mind...rather than renumbering your internal network, you can >>> just re-address your router to a different subnet, then you can put a >>> standard network configuration in place, ta-da, problem solved. >>> >>> (ew, ick. I might have just thought of how to do what you want with >>> OpenBSD, but the basic idea is so wrong, I don't want to do anything to >>> encourage you to do anything other than FIX YOUR NETWORK PROPERLY). >>> >>> Nick. > > > Thanks for the oppinions and wise advices of everyone on the mailing list. I've given some deep thought to the subject and i'm going with an OpenBSD bridge and a separate box for DNS caching. We're going to have some work reconfiguring the LAN clients but it's better doing it now on our spare time than when everything goes boing-boing as wise ones on the list have said. Thanks everyone.
----------------------------- Elaconta.com webmaster -----------------------------
