> > My goal is to setup a firewall to protect my subnet like this: > > > > Internet > > | > > Cisco router (192.12.120.254) > > | > > Local net 192.12.120.0 netmask 255.255.255.0 > > | > > FIREWALL eth0 = 192.12.120.190, eth1 = 192.12.120.202 > > | > > Protected subnet 192.12.120.200 netmask 255.255.255.252 > > > > This worked fine when I used masqurading and a fake net > (192.168.2.0) > > but not when I try to use real IP addresses and a subnet. > This is the > > firewall setup: > > > > (outside) > > eth0: > > IP = 192.12.120.190 > > Netmask = 255.255.255.0 > > Network = 192.12.120.0 > > Broadcast = 192.12.120.255 > > Gateway = 192.12.120.254 > > > > (inside) > > eth1: > > IP = 192.12.120.202 > > Netmask = 255.255.255.252 > > Network = 192.12.120.200 > > Broadcast = 192.12.120.203 > > Gateway = 192.12.120.190 > > you've got mismatched netmasks on the internal subnet and the external > subnet. they won't be able to communicate with each other through the > firewall/gateway box because all the machines on eth0 think that they > have a full /24 (class C), and that > 192.12.120.202/255.255.255.252 is on > the local eth0 ethernet, not routed through the fw box. > > i'm not sure if i'm explaining this very clearly. > > from the nature of the mistake you've made, i think you need to read > up on tcp/ip and on building firewalls before building one. subnetting > isn't that difficult but it's easy to make mistakes if you don't > understand how it works. > > unless you've got a good reason not to, stick with using private > addresses (192.168.2.0) for your internal network....that > makes building > the firewall purely a routing and ipfw problem, and avoids > the hassle of > calculating netmasks. > > if necessary (e.g. for accounting purposes), you can even > route between > your external net and your internal 192.168.2.0 net....but then your > internal network can be reached if hosts on your external net are > compromised. security policies are always a tradeoff between > convenience > vs. security. > Thanx Craig.
I do need (I think) to use real IP addresses because I need to have multiple web-servers (accessible from the Internet) inside the firewall that should be protected. I thought it was possible to tell my fw box to route all trafic between the two subnets. Is it possible to route eg 192.12.12.202 to a host on the private network eg 192.168.2.202? Other solutions how to protect just a part of my C-net? Best regard Johannes. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null