Public Internet across a private network.
Jason Clinton
me at jasonclinton.com
Mon Sep 12 23:26:20 CDT 2005
On Monday 12 September 2005 11:02 am, Dale Beams wrote:
> I have a private network that I would like to allow internet access from
> public computers. Do I simply need to subnet the public side to prevent
> access to the private network?
I know very little about networking compared to some people on this list but
I'll make a guess anyways. If you want to prevent access to the other subnet
entirely, you'll need to have a special firewall rule on the computer/device
that's a) closest to both subnets and b) has information about how to route
to both subnets. Here is a spiffy ASCII picture:
/^ Public Terminals: 192.168.1
Internet |---------| Modem |-|Firewall|-|
\_ Private Network: 192.168.0
The computer called |Firewall| needs a rule that's something like:
If source is 192.168.0.0/255.255.255.0 and destination is
192.168.1.0/255.255.255.0, reject packet.
and also:
If source is 192.168.1.0/255.255.255.0 and destination is
192.168.0.0/255.255.255.0, reject packet.
This prevents packets from flowing in both directions.
If you were to make a mistake and have both subnets on the same physical
network or if you were to have the rule on a machine other that the first
machine to have information about both subnets, the above rules would not
work. (Unless you had VLAN's -- but that's a bit too complicated for this
email.)
Maybe there's a better way but this is the first solution that comes to mind.
--
I use digital signatures and encryption. My key is stored at pgp.mit.edu key
ID code: "0x8DB3BF09". F: F628 D9D3 E57A C281 5EFE 7DF7 B52A A393 8DB3 BF09
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://kclug.org/pipermail/kclug/attachments/20050912/f5d68af5/attachment.pgp
More information about the Kclug
mailing list