On Wed, 8 Jul 1998 [EMAIL PROTECTED] wrote: > > > (outside) eth0: IP = 192.12.120.190 Netmask = 255.255.255.0 > > > Network = 192.12.120.0 Broadcast = 192.12.120.255 Gateway = > > > 192.12.120.254 > > > > > > (inside) eth1: IP = 192.12.120.202 Netmask = 255.255.255.252 > > > Network = 192.12.120.200 Broadcast = 192.12.120.203 Gateway = > > > 192.12.120.190 > > > > you've got mismatched netmasks on the internal subnet and the > > external subnet. they won't be able to communicate with each > > other through the firewall/gateway box because all the machines > > on eth0 think that they have a full /24 (class C), and that > > 192.12.120.202/255.255.255.252 is on the local eth0 ethernet, not > > routed through the fw box. > > Thanx Craig. > > I do need (I think) to use real IP addresses because I need to have > multiple web-servers (accessible from the Internet) inside the > firewall that should be protected. I thought it was possible to > tell my fw box to route all trafic between the two subnets. Is it > possible to route eg 192.12.12.202 to a host on the private network eg > 192.168.2.202?
you must have misunderstood what i said (not surprising, because i didn't explain it very well) you *can* use 192.12.20 addresses on both sides of the firewall (i.e. internal and external), as long as they are subnetted properly. this generally means splitting the net into two or more equally sized subnets. for example... two subnets: .0-127 and .128-255, or four subnets: .0-63, .64-127, .128-195, and .196-255, or eight subnets: .0-31, .32-63, .64-96, ..., and .224-255 note it is possible to run more than one subnet on a single ethernet segment. for example, you could run .0-63, .64-.127, .128-.195 on eth0 and .196-.255 on eth1, as long as you always remember that eth0 actually had three subnets on it and not just one network. the three eth0 subnets would only be able to communicate with each via a router (i.e. your firewall box)...they are completely separate networks even if they happen to be on the same cable segment! what you can't do is just take a chunk out of the middle of a net, stick it on the other side of a firewall and expect that it will work. (actually, if you're careful and know what you are doing you might be able to fake it by publishing arp entries for each of the hosts that 'belong' on eth0 but are actually physically located on eth1. possible, but tricky and complicated and easy to mess up. this is the sort of thing that evolves - "mutates" is more accurate - into an undocumented nightmare) > Other solutions how to protect just a part of my C-net? one idea that occurs to me is that you could connect your firewall box directly to the cisco router (use a cross-over 10baseT cable or coax), and use 192.168.x address for that network segment. all of your hosts could then be on 192.12.120.0/24. use ipfwadm firewall rules to protect specific hosts....or protect them all (default policy deny) and use allow rules to unprotect certain hosts/ports. something like this: 192.168.1.0 +----------+ | | | |eth0 +-----+ +-----+ inet <----> :cisco: :linux: +-----+ +-----+ |eth1 | +--------------------------------------..... 192.12.120.0/24 segment (your hosts) it would simplify things if your ISP could allocate you an IP address for the cisco's internet (isdn??) interface. your ISP would route your /24 net to your cisco, and your cisco would know to route it to the linux box. the linux box would apply firewall rules to filter out undesirable connections. it would simplify things even further if you could replace the cisco with an ISDN card for your linux box. that's assuming your internet connection is ISDN, of course. if it's some other connection type it may be worth your while finding out whether linux supports it. craig -- craig sanders -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null