Marco Tassinari writes: > > > Hallo, > I wonder what is the best solution for security in this ascii-art > network: > > > [router] > | > [let's call it firewall even if it's not one for the moment] > | > +--------------|-------------|----....----| > | | | | > [server] [PC] [PC] [PC] > > > The toplogy is untouchable: this is a marketing request. > In the empty space I put my firewall: a filter and proxy (squid) > server, debian potato with kernel 2.2.19, ipchains made. > It seems a good solution to me. Hum, it seems to be good, but you should take great care this machine would become your main headache for security purposes. Evidence is all your connected pc are in local subnets and router is configured to drop any local subnet paquets attempting to go out.
> The trouble is a preimposted NAT table in the router: the unique > external IP is remapped to the internal address of the server. Maybe you could give server's address to firewall ;-) Then you don't have to touch router's configuration. > I don't know how to say the router 'route add default gw firewall'... You should never do that since i suppose router is your external access, default route must be another router ... But you can tell router to redirect all stuff for server to firewall. > and my manager said: <<router is preferibly not to modify>>. He could just change router's configuration to whatever you choose for firewall address and remap all public traffic (filtering all you dont need) to your firewall. Then configuring your firewall would act as you configuring the router directly, except there is another gate beetween you and the wild wild internet. It's a good thing. Anyway, for more security, you should try to configure your router to drop all incomming connection on critical services running on firewall > > So i thougth: > > First solution: to make the firewall be a bridge for incoming > connections to the server, and normal filter+proxy for > outgoing ones. It seems not so good to me. > > Or: to make the firewall use a 2.4.5 kernel, and use NAT iptable to > redirect in some way the router --> server connection. I think (but > I'm not sure) it should work. It costs a lot to me in upgrading to > iptables. They're not so different and some existing tools do convert your old rules to the new iptables ones. You can also keep ipchains compatibility within your 2.4 kernel (i've never tested it, but i undestood was possible) Last thing, your two solutions are nearly the same solution, making your firewall a bridge for server's connections reflects it acts as a nat for servers address, you can do it with ipchains / iptables. see nat and port forwarding howtos for a complete explaination ... > > > What do you suggest? As a conclusion, you'll ask your manager to modify router's configuration anyway. > Thanks!, Marco Regards. -- Davy Gigan System & Network Administration University Of Caen (France)
