On Mon, 2004-08-30 at 12:46, [EMAIL PROTECTED] wrote:
> Hi,
>
> I have tried to set up a firewall with BSD (3.5).
> I experimented with filtering bridge, so far ok. Now I needed a DMZ, so
> I didn't want to play with two PCs, all should be in one PC. I
> understand, I'd have to use a firewall with three interface cards.
> Meanwhile I have read the book from Jacek Artymiak (second edition), and
> I have looked into the mailing lists ... But: I have problems to
> understand routing.
> Which routes do I need to setup in this straight forward example ?
all you need is a default route pointing to your internet router's IP
address (attached to xl0).
the openbsd gateway is directly attached to the networks on xl1 and xl2
and will automatically know how to get to those networks. the output
of:
$ netstat -rn -f inet
should confirm this.
> INTERNET
> |
> |
> ---------------------
> | xl0 | --------------
> | | | DMZ |
> | xl1 |---| |
> | | | Mail & WWW |
> | xl2 | --------------
> ---------------------
> |
> |
> LAN
>
> On top is the Internet, on the right hand side my DMZ (actually with a
> WWW and a Mail server). Below is my local area LAN. I would like to
> setup the firewall with PF and NAT. I have three network cards (3COM
> PCI), which are configured as xl0, xl1 and xl2, lets assume I have these
> IP adresses:
>
> ext-if: x.x.x.x (xl0)
> dmz-if: 192.168.255.250 (xl1)
> Mailserver: 192.168.255.1
> Webserver: 192.168.255.2
> int-if: 192.168.0.250 (xl2)
>
> I would store these informations in the corresponding interface.xl?
> files.
> In /etc/mygate on the firewall I would put the xl0 interface address
> (would that be also my default route ?).
um, no. in /etc/mygate you need to put the IP address of the upstream
router that connects you to the internet
> All clients in the LAN shall
> have XL2's interface adress as gateway.
yes.
> Routing:
> Everything shall leave the firewall via ext-if (xl0) by default.
> Assume, I have no PF activated (but net.inet.ip.forwarding=1), then I
> would have to tell packets from the LAN, that the www and mailserver are
> in a different LAN. And for their different subnet I'd need a routing
> entry.
yes--but it's already there for you once the interface is configured
with an IP address.
> When the mailserver sends his mails to the internet, his gateway adress
> would be that of dmz-if (xl1), same applies for the WWW server. If
> traffic comes from DMZ, it would leave over the default gateway ext-if
> (xl0).
yes.
> If traffic from both DMZ servers is destinated into the LAN, I would
> think I need a corresponding routing entry to pass via int-if.
no. again--this will be automatic, as the internal LAN is directly
connected.
> If I set up PF now, with rules in pf.conf, do I need to delete these
> routes ?
not quite sure what you mean by this, but i'm going to say the answer is
'no.'
-j
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
I am two with nature. -- Woody Allen
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
