Message-ID: <3DDBDEE2.4020508@steinkuehler.net> Date: Wed, 20 Nov 2002 13:16:26 -0600 From: Charles Steinkuehler <charles@steinkuehler.net> Subject: Re: Subnetting
Lucas Peet wrote:
> Well, basically, I'm working on a triple-homed firewall. The block of
> 'real' IP's will be for the DMZ, I'll use 10.0.0.x for the internal
> network, but I still need 2 IP's (one for the external interface, and
> one for the router) that are on a different network, so I can route
> properly between the external interface, and the DMZ.
>
> Maybe I'm confused here - I guess I'm just trying to apply what I
> learned from my own dual homed firewall to a triple homed with a DMZ.
>
> Maybe I just don't know enough about routing yet? I guess I don't
> understand how I would route from eth0 to eth2 properly, when they're on
> the same network block.
>
> Should I just ask the ISP for 2 other IP's on a different network block?
> (I *know* they have subnets that are only 2 (useful) IP's long (total of
> 4) ).
You want to use proxy-arp. I have a /26 network from my ISP via SDSL,
which gets split into 4 different networks with real IPs:
1) External "raw" network, connecting my firewall/router to my SDSL
modem and the ISP.
2) DMZ network for business computers owned by the company I work for
3) DMZ network for personal server systems owned/operated by me
4) DMZ network for a "co-lo" system I put online for a friend of mine.
...unassigned IPs are "tar-pitted" by LaBrea :)
NOTE: Public IP's can be on any of the four network segments, and as
long as proxy-arp is enabled (and the firewall/router's routing tables
are correct), everything will work, and all boxes will think they can
directly talk to the entire subnet. The benifit of seperating the
networks with proxy-arp is you can filter the traffic as it passes
through the firewall. With my setup above, for example, if someone
hacks the "co-lo" system I let my friend keep on-site, they still have
to hack thorugh my firewall to attack any of my internal systems, so
other than a faster link, they are at no significant advantage vs trying
to attack from anywhere else on the internet.
In addition, there is a fifth masqueraded network for internal
workstations that don't need public IP's.
Proxy-arp allows you to split networks however you like, with the
advantage that you don't have to loose multiple IPs for
network/broadcast addresses, the way you do if you have multiple
subnets. Also, if you're not running FreeS/WAN (ipsec package that gets
confused if multiple interfaces have identical IPs), you can assign all
interfaces on the firewall/router the same IP (rather than 4 seperate
IP's, as you would otherwise need in my example above).
I do this all with my bootable CD-ROM firewall, Dachstein-CD:
http://leaf.sourceforge.net/devel/cstein/DiskImages/Dachstein-CD.htm
Although if you're starting from scratch, you might want to use the
Bering release (2.4 kernel and the shorewall iptables firewall package):
http://leaf.sourceforge.net/mod.php?mod=userpage&menu=904&page_id=21
I haven't personally used shorewall much, but it looks like a great
pacakge, and I think it supports proxy-arp DMZ setups out-of-the-box, as
does Dachstein.
-- Charles Steinkuehler charles@steinkuehler.net