-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK.. some recommendations...
1. Get an IP subnet calculator. Go to download.com and find a free
one.. I think there is even a free one a Cisco.com.
2. Read up on VLSM (varialble length subnet masking). This allows
you to break off whatever size network you need (for the most part).
3. Build a subnet mask table for yourself for instant access:
/32 1 address; 1 host (this is the same as 255.255.255.255)
/31 2 addresses; 0 hosts (one broadcast address, one network
address) = (255.255.255.254)
/30 4 addresses; 2 hosts (eg. 192.168.1.0/30; .0 is the net,
.3 is broadcast, .1 and .2 are valid host addresse (.252)
...
so on and so forth... (I am trying teach you how to fish instead of
just giving you one meal).
Carric Dooley
Network Security Consultant
"I have often regretted my speech, never my silence."
- - Xenocrates (396-314 B.C.)
- ----- Original Message -----
From: "Scott I. Remick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 08, 2000 9:55 PM
Subject: Subnetting a Class C for firewall
> I'm trying to get a plan together to set up a firewall on a network
> and have some issues that I haven't sorted out yet. Perhaps
> someone can help me.
>
> Currently the network is on a full Class C address space, with a
> router to the internet. The router provides the current security,
> but it's very limited. There is no NAT going on and preferably it
> should remain that way (just want to filter traffic).
>
> My idea is to create a screened subnet using a merged
> interior/exterior router in addition to the existing router. The
> merged router (firewall) ends up being a triple-homed host
> (FreeBSD box), with a NIC to the internet, a NIC to the perimeter
> network, and a NIC to the internal network. The internet router
> only talks to the FreeBSD box, which permits some communication
> with servers on the perimeter network (FTP, WWW, mail, etc), and
> keeps a tighter watch on traffic to and from the internal network
> (even if it's from the perimeter network, in case one of those
> servers becomes compromised).
>
> With me so far?
>
> Ok. So to firewall, we need to route, and to route, we need to
> subnet. Barring any faults in my ideas so far, I'm stumped as to
> how to subnet the current Class C to easily permit this and make
> best use of the address space. So far they've been spoiled with
> their addressing, but no more after this. I've never had to
> subnet into a Class C before, so I did my homework and it would
> seem that subnets must all be of equal size. This is bad, because
> the perimeter network only needs to support a few hosts, while the
> internal network needs to support a much larger number (I don't
> need a third subnet, figuring I can use a private address space
> such as 10.0.0.1 <-> 10.0.0.2 for the segment between the internet
> router and the FreeBSD box, correct?).
>
> Of course, as I'm just diving into subnetting, I'm still a little
> confused. If I were to divide into 2 subnets, would it be 62 or
> 126 hosts per subnet? 62 would be too small, while 126 would be
> annoying but perhaps liveable (not to mention a waste, as the
> perimeter network doesn't need anywhere near that).
>
> Now, if I could subnet for up to 14 hosts on the perimeter network,
> and leave... what, 182? hosts on the internal network... that
> would be ideal. But I'm out of my league trying to figure out if
> such a thing is possible. Is it? How?
>
> Any advice/insight/nudges-in-the-right-direction appreciated.
> Thanks a bunch. -----------------------
> Scott I. Remick [EMAIL PROTECTED]
> Network and Information (802)388-7545 ext. 236
> Systems Manager FAX:(802)388-3697
> Computer Alternatives, Inc. http://www.computeralt.com
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOUEPLFUqWOkDpMZ2EQLtpgCfQZ3WwazOkEHZHqmuLo9GE4QQdeYAoJcp
iZEJZz7Zd7r8dvA4sKrPYKYM
=Na+Q
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
