Re: Funky Firewall - Engineering Request

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Rudolfo Munguia
Date:  
To: plug-discuss
Subject: Re: Funky Firewall - Engineering Request
As someone previously stated, " this is academic"

I am running kernel 2.6.8 on several dists: SuSe, Debian, Gentoo; and
also run OpenBSD and FreeBSD boxen; and administer several Cisco
Routers.

On all of these I have the option of utilizing NAT under any of its
possible configurations:

one::one
one::many
many::one
many::many

This applies to either IP's or ports. you are simply specifying in
your conf whether you are translating from a subnet-subnet or
portrange-portrange and whether each new session in a given direction
is automatically assigned a new ip(round-robin) or maintain sessions
on a given ip(static or bi-nat).

The one detail you should be aware of on *nix is the binding of
multiple ip's to a single MAC/physical interface. If you follow
previous suggestions of just re-arranging squid to re-write the
headers with different ip's, your external interface won't necessarily
respond to the return packets without having the aliases for the other
ip's on the external interface.

This could also play havoc with ARP as Qwest used to have their
head-end equipment set to allow only 1 IP per MAC, which is why they
used to always insist that if you had multiple pc's that they be
connected via hub to the DSL line and get DHCP from the Qwest Server,
or else you had to learn to setup proxy-arp on your routing device.
Things may be different now though, I switched to Cox about 4 years
ago.

On Sat, 08 Jan 2005 21:55:35 -0700, Craig White <> wrote:
> On Sat, 2005-01-08 at 10:57 -0700, George Toft wrote:
> > I have a problem and am wondering how the brightest Linux brains of
> > Phoenix would solve it.
> >
> > Problem:
> > A certain web site that my family enjoys will not allow multiple
> > computers from the same IP address to use the site at the same time. I
> > currently have a Linux firewall with 2 NICs - one for the Internet and
> > one for my LAN running NAT so all of my systems have the same public IP
> > address.
> >
> > Qwest allows me 4 IP addresses, and I would like to take advantage of
> > them so we can have more than one computer at the site at one time.
> >
> >
> > Problem Statement:
> > Build a firewall that:
> > 1. Allows each computer on the LAN to send traffic out a different IP
> > address on the Internet side of the firewall.
> > 2. Filters all outgoing traffic though DansGuardian/squid.
> >
> > Essentially, each computer in the house would appear to have its own NAT
> > firewall, and I don't want to actually deploy 3 more hardware firewalls.
> >
> >
> > Random thoughts so far:
> > 1. Set up box with 4 copies of VMWare running - each with a copy of the
> > existing firewall.
> >
> > 2. Set up usermode Linux and have each one run a firewall & proxy. I'm
> > pretty fuzzy on this stuff.
> >
> > 3. Bind multiple IP's to each NIC, and attempt to set up the iptables
> > script from hell.
> ----
> #3 seems the most logical and easiest to implement. You can have a mini
> BOFH scheme by bandwidth shaping too.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss