Timothy Wilson wrote:
Anyone care to contribute some thoughts on the 675 vs. Linux
firewall debate?
On Sun, Nov 19, 2000 at 03:54:51AM -0600, Joel Schneider wrote:
> Why not use both Cisco 675 _and_ Linux firewalling?
Actually, this suggestion is the best one to go with, although I
disagree with how Joel has implemented it; albeit slightly at best.
Under Joel's suggestion, the network would look like this:
( Internet ) 0.0.0.0/0
|
[ DSL ]------[ HUB ]
|
+--------------+ (DMZ)
| |
[ WEB Server] [ Firewall ]
|
(Private Net)
This is not alltogether bad, but the side affect is that any
additional filtering of traffic to the web server must be accomplished
through the DSL modem. This modem has a grand total of 10 filter
rules. If you have only one static IP address allocated to you, then
you are forced to deal with the Cisco's NAT.
Linux IPChains (2.2) or IPTables (2.4) is infinitely more flexible on
how you handle packet filtering, routing, and forwarding. If you feel
you would like to use this power, you can do one of two things:
1) Manage the port forwarding at the Linux firewall
( Internet ) 0.0.0.0/0
|
[ DSL ]--------[ Firewall ]
|
[ HUB ]
|
+-------------+-------------+
| |
[ WEB Server] (Private Net)
2) Add another network card to the firewall and have a "server"
subnet/DMZ
( Internet ) <#1>
|
[ DSL ]
| <#2>
[ Firewall ]
<#3> (DMZ) | | (Private Net) <#4>
+-----------+ +--------[ HUB ]
| |
[ WEB Server] ...
Now, notice how all traffic is flowing through the firewall. This
gives you an amount of control and flexibility far beyond that which
you could achieve through the DSL modem alone. Through these
suggestions, you would need only one NAT rule at the Cisco:
forward all traffic destined for the Cisco to the firewall.
Now, the nets #2, #3, and #4 can be configure in many different ways.
It all depends upon what your ISP has given you. If the ISP gave you
only one IP address, either static or dynamic, your DSL router must
use NAT to forward any requests to other machines. If you've received
a /30 Internet subnet, you have two "useable" IP addresses. You must
assign one to your DSL router and you have one left for your firewall.
If you're given a /29, or 6 "useable" IP addresses, you could actually
make your DMZ a bridged network off your firewall (which is something
I'm working on configuring at my house).
Well, you have a lot of choices depending on what you've been
allocated. I personally want my Linux firewall handling the bulk of
the filtering and NAT rules, if not all of them. I simply don't trust
the Cisco, nor do I like it's limited resources.
Anyway, good luck!
--
Chad "^chewie, gunnarr" Walstrom <chewie at wookimus.net>
http://www.wookimus.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20001120/2b2a3e72/attachment.pgp