[olug] Firewall/NAT/Router Questions

[dbw]

Eric Penne (epenne at yahoo.com),

If you are planning on running a web server from your house, as well as
using a firewall with Internet sharing on all of your home networked
pc's; plus, at the same time do it in a way that would help you learn an
implementation used in many commercial environments, I recommend using a
Screened-Subnet Firewall.

Many companies (such as Inacom, where I used to work) use a Cisco PIX
firewall and a Screened-Subnet Firewall for their network.  This places
all the web/ftp/etc servers in a subnet of their own called the
"DMZ".  The DMZ is usually configured with a bastion firewall having three
nic's, one connecting to the Internet and two internal interfaces
connecting to two separate LANs.  One LAN is a DMZ LAN for public
servers.  The other LAN is the private, internal LAN.

The workstations are on their own subnet and share the Internet by having
all of their private (usually DHCP) addresses mapped to one public address
(This works like IP Masquerade). On the DMZ, each private address on the
server(s) is mapped to an individual public address, a public address for
each private address.

On the Cisco PIX firewall this is accomplished using three network
cards.  You define "conduits" to permit traffic for the appropriate
services and ports.  It looks something like this:

static (DMZ,outside) 200.150.221.250 10.10.10.250 netmask 255.255.255.255
0 0
conduit permit tcp host 200.150.221.250 eq ftp any

note: these public ip addresses I just made up - reference to any network
is unintentional.

Emulating what the Cisco PIX can do with a simple linux box and ipchains
was my goal.  Linux can do it just as well without the expensive $6000+
price tag.  I have done this and it works quite well using old hardware
(Like my old P60 at home) as well as using maybe a low cost AMD Duron box
or something.  I also used three RelTek NIC's, (only $12 each at DIT in
Omaha or Lincoln).  At home I did this with Slackware and a 2.2 Kernel, at
work I used Redhat 6.2.  For a good firewall you need not install any
services or things that will listen on ports that you wont use, no inet
services, httpd, ftpd, etc  

Because masqueraded local machines are invisible to the outside, services
running on local machines are not available to remote
clients.  Experimental kernel code to enable incoming connections to
severs running in the DMZ is enabled by compiling the masquerading module
support and ipportfw masq support into the kernel.

To forward incoming connections to a sever in the DMZ from the firewall
machine, the syntax would look something like this:

Ipmasqadm portfw -f
Ipmasqadm portfw -a -p tcp -L $IPADDR 80 -R 10.10.10.250 80

It is really difficult to find information on this in the LDP.  It seems
that all anyone ever wants to talk about is IPMasquerade, which has been
Howto'd to death.  I would like to start seeing documentation on good
solid commercial implementation of things like this.  I think linux has a
lot of potential as an alternative to expensive hardware like the Cisco
PIX firewall and linux also makes a great router.

Now I am working to accomplish this again except using OpenBSD.  So far I
have not been able to get ipf and ipnat to agree with my plans.  Anyone
good with OpenBSD IP Filter, I would appreciate dropping me an email :o)

-dbw

______   __   _    ________________________________________                
_____   / /  (_)__  __ ____  __                         ___
____   / /__/ / _ \/ // /\ \/ /   commando at robotz.com   ___
___   /____/_/_//_/\_,_/ /_/\_\   _________________________



---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net