On Wed, 27 Mar 2002, Dave Anderson wrote:
> Hi,
>
> I'm going to be switching my home network from ISDN to ADSL in the next few
> weeks, and I want to set up a LEAF firewall in preparation. I currently have
> a linux box as my gateway, running iptables. That box has the fixed public
> IP address that my ISP provided. I also run a few services on that machine,
> such as qmail, dns, www, sshd.
>
> I'm going to buying an ADSL router, which will have an ethernet port on the
> back, and I'm thinking of connecting that to my LEAF firewall, which
> forwards traffic on to my internal network, including the linux box on which
> I want to continue to run services.
>
> My questions are these (and I realise they're not all totally specific to
> LEAF, but I know you guys know your networking ;-)
>
> - Will my adsl router get my public ip address (presumably)
Depends on the type of "router". If it is simply an ADSL modem, it will
probably be configured in transparent mode, with a PPPoE or static ip
being assigned to your LEAF "external" interface. If it is performing
Network Address Translation, it will hold the public address and NAT to
your internal network. Usually, NATing ADSL interfaces have multiple
ethernet ports.
> - if so, should the router then have an internal address on it's private
> facing port
This would be true regardless.
> - if, so, then presumably the LEAF external port is in the same network
That is one way... none of the options in this scenario are very
appealing if the ADSL router is a cheap NATing commercial unit.
Following your assumptions, the layout would be something like:
your.pub.lic.ip
ADSL router
192.168.0.1 (for example)
|
|
192.168.0.2
LEAF router
192.168.0.2
|
|
other 192.168.0.x machines
which requires proxy arp or bridging. Another way would be to NAT the
a different network (say, 192.168.1.x) on top of 192.168.0.2.
Having a transparent ADSL modem is simpler... the LEAF can be
configured much more to your desires than your average commercial ADSL
NATing router.
> - in the above setup, can I plug the internal eth from the router into the
> LEAF NIC, with the right sort of cable
Yes. Some ADSL modems have "hub" type connectors, while others have
"computer" type connectors... so you will have to check your docs.
> - Does my internal LEAF port then use another internal network, which
> presumably is the same as my internal machines
If you do use another internal network, you must masquerade in the LEAF
router because the typical ADSL router cannot be configured with
additional routes to other networks.
> - Do I then need to specifically nat all incoming requests to my particular
> internal server (www, smtp etc)
One way or another, yes.
> - If so, does that mean I shouldn't use dhcp on the internal network, so I
> can hard code the internal IP address of my server
DHCP can be configured with fixed addresses for certain machines, but I
generally setup DHCP pool in one subset of addresses and use static ip
numbers for servers.
> And finally, does all this sound like the best way of doing this? My home
> server is not really used by a large number of people - mainly for home
> email and me logging in via ssh and imaps. It's pretty secure at the moment
> with iptables on it, but I'd like to run LEAF, partly for even better
> security, and partly to get used to LEAF even more.
Keep in mind that "home" networks like this are the easiest targets for
crackers, because you the owner are generally not spending a great deal of
effort on keeping your services up to the latest revisions. Consider a
DMZ arrangement if you can afford the equipment, to keep the crackers in a
safe sandbox without exposing all of your life to their perusal in
between your bouts of maintenance.
If you have been happy and safe with your current setup, though, you may
choose to live with holes in your firewall.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
