* [gentoo-user] making my own router
@ 2005-10-07 2:42 Mark
2005-10-07 3:18 ` W.Kenworthy
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Mark @ 2005-10-07 2:42 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1597 bytes --]
I'd like to build a gentoo box to act as a single router between a hardware
firewall (appliance) and two internal separate network segments. The goal is
to allow both internal segments to access the Internet via the same
firewall, but not allow them to see eachother.
Here's my general idea - please tell me if it makes sense so far.
1. Cable modem connected to ISP
2. Hardware firewall connected to cable modem on Internet port, and an
internal port to eth0 on the Gentoo box
3. Gentoo box has 3 NICs: eth0 connected to the hardware firewall's internal
lan port. eth1 connected to switch for internal lan segment 1. eth2
connected to switch for internal lan segment 2
4. Configure the NICs as follows:
eth0 and firewall internal port are in
192.168.0.0/24<http://192.168.0.0/24>subnet
eth1 is in 192.168.1.0/24 <http://192.168.1.0/24> subnet
eth2 is in 192.168.2.0/24 <http://192.168.2.0/24> subnet
Sound OK so far?
Next steps I think are figuring out how to provide DHCP to both internal
subnets from the same Gentoo box, and what gateway address(es) the clients
should use. Finally, I need to be able to do port-forwarding from the
outside to a specific host on one of the internal subnets. Can I do that?
One quandary I have is regarding the hardware firewall. We have money
invested in it, but does it buy me anything now that we are creating the 2
separate subnets? Should I just sell it and let the Gentoo box be the
firewall as well?
Thanks for any insight, as always.
--
Mark
[unwieldy legal disclaimer would go here - feel free to type your own]
[-- Attachment #2: Type: text/html, Size: 1724 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] making my own router
2005-10-07 2:42 [gentoo-user] making my own router Mark
@ 2005-10-07 3:18 ` W.Kenworthy
2005-10-07 12:37 ` Bill Roberts
2005-10-07 13:30 ` Dave Nebinger
2 siblings, 0 replies; 4+ messages in thread
From: W.Kenworthy @ 2005-10-07 3:18 UTC (permalink / raw
To: gentoo-user
Unless its limiting you in some fashion, leave it there as an extra
layer of protection - dedicated HW firewalls are often more secure than
a general purpose machine, but lose out in the flexibility/functionality
stakes. You can also get funky and use the gentoo box to detect suspect
traffic, and then deny it by uploading the ACL deny to the firewall.
Personally, while I really like my gentoo firewall/gateway, I would love
to have this option to completely remove traffic I designate from
hitting the inner firewall at all. Make the most of it!
BillK
On Thu, 2005-10-06 at 21:42 -0500, Mark wrote:
> I'd like to build a gentoo box to act as a single router between a
...
> One quandary I have is regarding the hardware firewall. We have money
> invested in it, but does it buy me anything now that we are creating
> the 2 separate subnets? Should I just sell it and let the Gentoo box
> be the firewall as well?
>
> Thanks for any insight, as always.
> --
> Mark
> [unwieldy legal disclaimer would go here - feel free to type your own]
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] making my own router
2005-10-07 2:42 [gentoo-user] making my own router Mark
2005-10-07 3:18 ` W.Kenworthy
@ 2005-10-07 12:37 ` Bill Roberts
2005-10-07 13:30 ` Dave Nebinger
2 siblings, 0 replies; 4+ messages in thread
From: Bill Roberts @ 2005-10-07 12:37 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 941 bytes --]
On 21:42 Thu 06 Oct , Mark wrote:
> I'd like to build a gentoo box to act as a single router between a
> hardware firewall (appliance) and two internal separate network segments.
> The goal is to allow both internal segments to access the Internet via the
> same firewall, but not allow them to see eachother.
>
> Here's my general idea - please tell me if it makes sense so far.
Your outline looks good. Haven't ever used a hardware firewall, though.
My setup is a firewall/router, external port to dsl modem, two internal,
one wired, one wireless. I bridged the two internals into a single subnet.
I used:
http://www.gentoo.org/doc/en/home-router-howto.xml
as my guide, then did some googling on bridging for the rest. Works great!
By the way, I used iptables for the firewall, but there is some terrific
documentation for shorewall, which you might find a bit easier.
Bill Roberts
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [gentoo-user] making my own router
2005-10-07 2:42 [gentoo-user] making my own router Mark
2005-10-07 3:18 ` W.Kenworthy
2005-10-07 12:37 ` Bill Roberts
@ 2005-10-07 13:30 ` Dave Nebinger
2 siblings, 0 replies; 4+ messages in thread
From: Dave Nebinger @ 2005-10-07 13:30 UTC (permalink / raw
To: gentoo-user
> Sound OK so far?
Yup, same setup I'm using (kinda). Works out very well.
> Next steps I think are figuring out how to provide DHCP
> to both internal subnets from the same Gentoo box, and
> what gateway address(es) the clients should use.
The gentoo box is the gateway. Assuming it is 192.168.{0,1}.1,
that would be the address to feed to the internal network boxen.
DHCP is easily configured to serve based upon the card, you just
need to dig into the config file to get it set up. Don't forget
to add iptables rules to block DHCP traffic coming or going on
the card connected to the network; you don't want to offer DHCP
to anyone outside of your internal network.
Along with DHCP you might want to add a caching DNS proxy on the
gateway box. This will simplify the network settings of the
internal systems (everything network-related would point to the
gateway).
> Finally, I need to be able to do port-forwarding from the
> outside to a specific host on one of the internal subnets.
> Can I do that?
Yes, it's all done via iptables. You'll need to chain it up; the
cable modem forwards to the firewall which forwards to the gentoo
box which forwards to the specific host. You'll have to get all
of the DNAT stuff right along the way.
> One quandary I have is regarding the hardware firewall. We have
> money invested in it, but does it buy me anything now that we are
> creating the 2 separate subnets? Should I just sell it and let
> the Gentoo box be the firewall as well?
As one poster said it will offer another layer of protection, but...
Personally I found it unwieldy to maintain iptables rules in such a
fashion. If traffic can't get to/from a destination you'll have like
5 points of failure: the local box, the switch, the gentoo box, the
firewall, and finally the cable modem.
And with the correct iptables rules in place your gentoo box will
be just as secure as the firewall appliance. It also offers you the
opportunity to see all incoming traffic, not just the traffic the
firewall appliance allows. So, for example, I have the ssh port open
on the gentoo box but it is basically a honey pot; folks trying to
connect there get automatically added to the blacklist and traffic
is blocked from them permanently.
I'm not sure how feature-full your firewall appliance is, but the ones
that I was using had limited port forwarding capabilities (10 to be
exact). Once I wanted to start hosting basic services, I quickly
consumed those ports (imap, pop3, ssh, ident, smtp, ftp, http/s, ...).
This however might not be a problem for you.
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-10-07 13:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-07 2:42 [gentoo-user] making my own router Mark
2005-10-07 3:18 ` W.Kenworthy
2005-10-07 12:37 ` Bill Roberts
2005-10-07 13:30 ` Dave Nebinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox