on 6/17/00 11:26 PM, Civileme wrote:
>
>> I've got a question here. What if any are the advantages of using two
>> NIC's On the firewall we run here (FreeBSD) we are only using a single NIC
>> for both directions. To the network and to the Net. (and we run video
>> conferencing video so traffic is heavy) As I see it adding a second NIC
>> only serves to add latency to the net access. Unless your traffic volume
>> exceeds 10 or 100 mbs in any one direction (depending on your net speed)
>> the card even in half duplex mode should be more than able to handle the
>> traffic. I've asked this question before in other groups and no one could
>> give me an answer that held water. Thanks hope this isn't off topic if it
>> is please ignore and I apologize.
>>
>> James
>
> Well, I changed the topic to something appropriate.
>
> Let's say that you use One NIC and give it two addresses... If
> it has only one address, I am sailing by any firewall you set up
> on that box, BSD or not, because that means all your machines
> have network addresses reachable from outside.
>
> If not--and you have two addresses on the card, one for local
> under the "experimental" addresses which are reserved from use on
> the internet, like
>
> 192.168.0.0 - 192.168.255.255
> 176.16.0.0-176.31.255.255
> 10.0.0.0-10.255.255.255
>
> and the other a real internet address. This means incoming
> traffic from the internet is recognized and processed , then
> retransmitted on the same NIC to the local station if not
> filtered out. This is equivalent to having two NICs since you
> have the latency. In fact this rig is sometimes called the "poor
> man's router"..... I would hazard a guess that this is the
> configuration of your firewall. It is more secure than attaching
> the interface to the internet router through a hub and attaching
> the locals onto the same hub.
>
> Now if your "firewall" is on a hub with the local stations and
> the hub also connects to the internet router, then Mr. Aloysius
> Blackhat out on the internet figures out your local subnet and
> configures a similar subnet on his end--working a similar
> "firewall/router" combo, and into your subnet he comes with an
> EASY CRACK--he's just another one of the localhost folks.
> Civileme
So let's see if I've got this straight?
I can do IP masq with one ethernet card in the linux box (as
router/firewall)?
cables:
DSL modem into Hub A
Linux Box into Hub A
Mac Workstations into Hub A
ip addresses:
macs are set to 192.168.1.X
DSL IP comes in as y.y.y.y
linux box listens to y.y.y.y and 192.168.1.X
this setup let's me be cheap and save my $19 but it opens my subnet wide to
anyone who figures out the subnet address? (kind of like a VPN for crackers)
I think I'll spend the $19.
Gavin
