On Tue, May 14, 2002 at 08:51:28AM -0700, Eric Richardson wrote:
> I'm really new to this so I'm trying to figure out what is important. 
> Some simple questions would really help me.
> Do you run the router to eth0-firewall-eth1 to switch or does the 
> topology matter because of the layer of TCP being filtered?

I have only one system behind the router, so effectively I have router
to eth0.  If I were to set up a Linux firewall with other boxes behind
it, I would do it as you've described.

> On the 678, are you using it as the DHCP for your clients as well and is 
> it in PPP mode?

I've set the 678 to use a static IP for the box I have connected to
it.  There's no reason you couldn't have it give you addresses through
DHCP, although that probably would make it more difficult to configure
it to let some ports pass through to a particular host.  My router is
in PPP mode.

> Are you using any fixed IP's behind the router/firewall?

Yes, but it's on an internal network (192.168.1.0, I think).  The
router is assigned the external IP address and does NAT for the host I
have connected.  If you have real IPs on your network behind the
router, I'm sure you could set it up to disable NAT and properly route
the packets.

> I'm sure this isn't too hard but when you don't understand it all it is 
> pretty difficult. I bought the Linux Firewalls book and am working on 
> the a dual homed host for a firewall (2.4 iptables). Now with adding the 
> DSL router in PPP mode I'm not sure what should do what. Does the router 
> get a dynamic IP as well? Anyway, any insight would be much appreciated.

In theory, my router gets a dynamic IP through PPP, but I've yet to
see it change.  You can read the external IP off the router, if you
want to be able to connect to one of your internal hosts from outside.
(I have a Perl script which does this if you're interested.)

My advice would be to first get the router up and running so that you
have a connection.  Your ISP may have a page which describes their
recommended router config.  Then set up your Linux firewall (if you're
using NAT you probably won't get much, if any, external activity at
this point).  Then mess with the router's NAT to map external ports on
the router to ports on hosts on your internal network.  Then, if you
care to do so, mess with the router's NAT and filtering as a second
layer of security.

-Mike