> OK, let's assume that I have a working DCD firewall. By working, I mean
> everything is functioning as expected and it is pretty much a standard
> DCD v1.0.2.
>
> Now, suppose that it resides in a business with offices on multiple
> floors. This business wants to sublet one of the floors to some other
> company. Additionally, the business wants to give this other company
> internet access via the business' already functioning internet
> connection that happens to be firewalled successfully by the subject
> DCD.
>
> This other company wants a block of public ip addresses and they do not
> want to be firewalled by the first business.
>
> Therefore, we want to add another ethernet interface to the DCD, through
> which we want to route their block of addresses totally unfiltered.
> Also, neither the business nor the other company should have access to
> the others' networks.
>
> What is the simplest way to do this with DCD?
>
> What is the best way to do this with DCD?
Well, a pretty simple and pretty good solution would be to:
* Add a new interface to the system (physically), and connect it to your new
client's LAN.
* Configure the interface using the ethN_* settings, and add the interface
to IF_AUTO, so it gets configured on bootup
At this point, your new client can see the firewall box, but they won't be
connected to *ANYTHING* but the firewall, so:
* Craft some simple custom rules allowing *ALL* external traffic to the new
subnet.
- In /etc/ipchains.input:
$IPCH -I input -j ACCEPT -d <client lan>
- In /etc/ipchains.forward:
$IPCH -I forward -j ACCEPT -s <client lan> -i <external interface>
$IPCH -I forward -j ACCEPT -d <client lan> -i <client interface>
- In /etc/ipchains.output:
$IPCH -I output -j ACCEPT -s <client lan> -i <external interface>
You now have your client connected to the 'net with *NO* firewalling (well,
at least on their assigned IP's...they still can't spew private IP's to the
'net, but they're wide-open for M$ file-sharing and any other traffic
to/from their assigned IP range).
NOTE: You don't ask about it, but you'll probably want to allow *SOME*
forwarding between the new client network and your other nets, primarily for
public servers. If, for instance you both have mail servers, they won't be
able to talk to each other because in the above setup *ALL* traffic between
the client net and your other networks is blocked by default. Simply make
specific rules to allow desired traffic between the LAN's in the
/etc/ipchains.forward file. You should be able to use the -A (append)
rather than the -I (insert) rule for this traffic...the -I's in the above
are to get the new client's rules in place before the generic blocks put in
place by the default Dachstein ruleset, allowing your new clients to be hit
by IP spoofing attacks from private IP space, ICMP re-direct messages, and
pretty much any other packet you can think of. Typical candidates for
desired services might be DNS, SMTP, and WWW.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
