At 11:50 PM 6/17/00, you wrote:
>on 6/17/00 11:26 PM, Civileme wrote:
>
> >
> >> I've got a question here. What if any are the advantages of using two
> >> NIC's On the firewall we run here (FreeBSD) we are only using a
> single NIC
> >> for both directions. To the network and to the Net. (and we run video
> >> conferencing video so traffic is heavy) As I see it adding a second NIC
> >> only serves to add latency to the net access. Unless your traffic volume
> >> exceeds 10 or 100 mbs in any one direction (depending on your net speed)
> >> the card even in half duplex mode should be more than able to handle the
> >> traffic. I've asked this question before in other groups and no one could
> >> give me an answer that held water. Thanks hope this isn't off topic if it
> >> is please ignore and I apologize.
> >>
> >> James
> >
> > Well, I changed the topic to something appropriate.
> >
> > Let's say that you use One NIC and give it two addresses... If
> > it has only one address, I am sailing by any firewall you set up
> > on that box, BSD or not, because that means all your machines
> > have network addresses reachable from outside.
> >
> > If not--and you have two addresses on the card, one for local
> > under the "experimental" addresses which are reserved from use on
> > the internet, like
> >
> > 192.168.0.0 - 192.168.255.255
> > 176.16.0.0-176.31.255.255
> > 10.0.0.0-10.255.255.255
> >
> > and the other a real internet address. This means incoming
> > traffic from the internet is recognized and processed , then
> > retransmitted on the same NIC to the local station if not
> > filtered out. This is equivalent to having two NICs since you
> > have the latency. In fact this rig is sometimes called the "poor
> > man's router"..... I would hazard a guess that this is the
> > configuration of your firewall. It is more secure than attaching
> > the interface to the internet router through a hub and attaching
> > the locals onto the same hub.
> >
> > Now if your "firewall" is on a hub with the local stations and
> > the hub also connects to the internet router, then Mr. Aloysius
> > Blackhat out on the internet figures out your local subnet and
> > configures a similar subnet on his end--working a similar
> > "firewall/router" combo, and into your subnet he comes with an
> > EASY CRACK--he's just another one of the localhost folks.
> > Civileme
>
>So let's see if I've got this straight?
>
>I can do IP masq with one ethernet card in the linux box (as
>router/firewall)?
>
>cables:
>DSL modem into Hub A
>Linux Box into Hub A
>Mac Workstations into Hub A
>
>ip addresses:
>macs are set to 192.168.1.X
>DSL IP comes in as y.y.y.y
>linux box listens to y.y.y.y and 192.168.1.X
>
>this setup let's me be cheap and save my $19 but it opens my subnet wide to
>anyone who figures out the subnet address? (kind of like a VPN for crackers)
>
>I think I'll spend the $19.
>
>Gavin
Gavin,
Normally true, but what I was looking for was what Civileme gave me as
far as "reasonableness" of explanation. Oh and by the way my current
router/firewall is an old 486 notebook with only one pcmcia slot. So for
the moment a "new Nic" card would cost me a new box. *sigh* there are
reasons for not using my linux/bsd development boxes as a
firewall. Perhaps the best is that our boxes behind this firewall change
almost daily. (people load new OS's move boxes to their homes etc etc
constantly) New company, small income. Tiny firewall.
