Re: [CentOS] More about firewalling
If you just want public IPs passed to downstream devices than bridging two NICs will allow you to accomplish this. Otherwise you will need to setup NAT port forwards or 1:1 NAT. You assign the external IP and internal IP when creating the NAT rule. The device only needs to be as fast to handle the Mbps you need routed from your ISP. Having multiple IPs isn't going to affect the speed by much since the destination IP address is in the packet header. The firewall is going to check the header and determine if the packet gets passed through, blocked, or if NAT is going to be performed. Ryan On Mon, Oct 5, 2009 at 5:45 PM, ML mailingli...@mailnewsrss.com wrote: Hi All, So before when I used PIX's for my employer, our traffic was statically routed to one IP and then the firewall decided if allowed/ denied and passed it on or dropped it. I have a Comcast business circuit with 13 IP's. The gateway device they provide is a 'pass through' device. They sent traffic for all 13 IP's my way. It just allows traffic through. So if I put in a device to firewall (like Ipcop or Vyatta or something) in front, say it has 3 NICS, how do I do that? If the Firewall has IP A and Traffic for IP B comes in how would IP A answer and decide if the traffic to IP B belonged? Without statically routing I am confused on how to accomplish this? How fast does this device need to be? Best, -Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] More about firewalling
Jason,
For Vyatta questions, it's best directed to their forum at
http://vyatta.org/forum. Their site also has excellent documentation on basic
set up, which is found at http://vyatta.org/documentation.
I have a very similar set up as yours, Comcast business and Vyatta Community
Edition with three nics - WAN, LAN, and DMZ. To set up Vyatta so that you can
access internal servers from external sources, you would need to set up
destination NAT's. You would then create firewall rules to allow specific
destination ports into your network. With Vyatta for incoming traffic, DNAT is
first performed before going to the firewall, that's why you see the internal
IP address in the firewall rule and not external IP address.
Here is a sample DNAT rule for SMTP to my mail server:
rule 200 {
description DNAT TCP connection from WAN to mail server
destination {
address 123.123.123.100
port 25
}
inbound-interface eth0
inside-address {
address 10.10.10.10
}
protocol tcp
type destination
}
Here is a sample firewall rule for SMTP to my mail server:
rule 500 {
action accept
description accept tcp port from WAN to alpha
destination {
address 10.10.10.10
port 25
}
protocol tcp
source {
address 0.0.0.0/0
}
}
My cpu isn't all that powerful, but it serves my network well. If you have low
traffic volume, your P3/P4's should be sufficient.
vyatta$ cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping: 8
cpu MHz : 998.714
cache size : 64 KB
fdiv_bug: no
hlt_bug : no
f00f_bug: no
coma_bug: no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr cx8 sep mtrr pge cmov pat mmx fxsr sse
up rng rng_en ace ace_en
bogomips: 2000.40
clflush size: 32
power management:
Again, vyatta.org is the best place to get the information you need.
Best,
Wilson
From: ML mailingli...@mailnewsrss.com
To: CentOS mailing list centos@centos.org
Sent: Monday, October 5, 2009 2:45:12 PM
Subject: [CentOS] More about firewalling
Hi All,
So before when I used PIX's for my employer, our traffic was
statically routed to one IP and then the firewall decided if allowed/
denied and passed it on or dropped it.
I have a Comcast business circuit with 13 IP's. The gateway device
they provide is a 'pass through' device. They sent traffic for all 13
IP's my way. It just allows traffic through. So if I put in a device
to firewall (like Ipcop or Vyatta or something) in front, say it has 3
NICS, how do I do that?
If the Firewall has IP A and Traffic for IP B comes in how would IP A
answer and decide if the traffic to IP B belonged? Without statically
routing I am confused on how to accomplish this?
How fast does this device need to be?
Best,
-Jason
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com ___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] More about firewalling
ML wrote: I have a Comcast business circuit with 13 IP's. The gateway device they provide is a 'pass through' device. They sent traffic for all 13 IP's my way. It just allows traffic through. So if I put in a device to firewall (like Ipcop or Vyatta or something) in front, say it has 3 NICS, how do I do that? Before I start this my not be the best/easiest way to accomplish this, just sharing how I do it. I too have Comcast Business (love the speed and the price). I have only a standard 5 usable IP block, but my setup may work for you. I choose to use CentOS for everything, I know there are better suited OS's out there for this. I just don't want to have to remember the different nuances between nix's. You could also buy a commercial router for this but if you're cheap like me, and have an ever shrinking IT budget why. I use a recycled dual P-III 866MHz, 512K RAM and a 4 port Intel NIC.. You should be able to purchase similar boxes for $100-$150 or use whatever you have laying around. I mirror 2 40GB HD's but a more reliable setup would be to boot a live CD and use a USB drive for storage. I just have not got around to trying this yet. If you want the IP's to go to different boxes you can just buy a switch connect it to the Comcast device. Then set your assigned IP addresses on each boxes nic. But what I believe you want is to have all the IP's come into one point and be distributed to your other boxes behind it. To do this use IP aliasing and assign your 13 IP's to eth0 - eth0:12. For more info google IP aliasing. You can route the traffic out one or several nics. I DMZ my internal network, mailserver and webserver to seperate nics but you don't have to. To decide where the whole IP and or port traffic goes use iptables for this. Everything and more you need to know about it and more is here: http://iptables-tutorial.frozentux.net/iptables-tutorial.html I just like writing /editing iptables from a script. If the Firewall has IP A and Traffic for IP B comes in how would IP A answer and decide if the traffic to IP B belonged? Without statically routing I am confused on how to accomplish this? How fast does this device need to be? I run DNS, DHCP, NTP without ever using 1% of CPU and very rarely using swap. So I'd say its fast enough. Just install base, no GUI, and turn off all nonessential services . If you want email me off list and I can forward you a crude howto. Cheers Dan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] More about firewalling
ML wrote: Hi All, So before when I used PIX's for my employer, our traffic was statically routed to one IP and then the firewall decided if allowed/ denied and passed it on or dropped it. I have a Comcast business circuit with 13 IP's. The gateway device they provide is a 'pass through' device. They sent traffic for all 13 IP's my way. It just allows traffic through. So if I put in a device to firewall (like Ipcop or Vyatta or something) in front, say it has 3 NICS, how do I do that? If the Firewall has IP A and Traffic for IP B comes in how would IP A answer and decide if the traffic to IP B belonged? Without statically routing I am confused on how to accomplish this? How fast does this device need to be? Have you logged into the Comcast device to see what options it offers for firewalling and portforwarding itself? They may not all be the same, but the one's I've seen do NAT as well as pass-through of the public addresses and have some other options that may be all you need. A google search should turn up the login and password you need for access if you don't already have it. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] More about firewalling
ML wrote: I have a Comcast business circuit with 13 IP's. The gateway device they provide is a 'pass through' device. They sent traffic for all 13 IP's my way. It just allows traffic through. So if I put in a device to firewall (like Ipcop or Vyatta or something) in front, say it has 3 NICS, how do I do that? If your just interested in firewalling (i.e. not NAT or something) then you can put the firewall in transparent bridging mode. How fast does this device need to be? Depends on your throughput, and conns/sec. I use a Soekris at home for my ~10-30Mbps comcast line, that has a 500Mhz AMD Geode, and usually sits at less than 1% cpu (though I don't use it too often). I have OpenBSD running on it in routed mode for firewall+NAT. I would wager anything in the last 5-6 years would be more than enough. A good NIC is important too. Does linux's firewall support even have stuff like stateful failover these days? I've been using OpenBSD(vs linux at least) since 2004 for any firewalls that I deemed serious, FreeBSD before that. I hate *BSD user land stuff, but I do like pf. nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
