Hi Manesh, all
> I am thinking of a firewall setup for a small business. Naturally, the
> firewall box should have two NICs with two IP addresses. The NIC at
> internet side (connecting to a DSL router) will have a valid IP address.
>
A firewall will probably have two or more NICs. I myself prefer not to call
a Linux box with ipchains or many Checkpoint boxes 'firewalls'. I prefer to
call network level filters that and application level gateways such. I
consider either or a combination of both a firewall (or 'firewall system',
so as to be able to comply at least a bit with the common terminology).
In case I've confused you: there is no standard for the term 'firewall'. No
one can say that *a firewall* does this or that, can do this or that, looks
and operates like this or that. It depends entirely on the implementation.
> I'm confused about the other side - and naturally the network addres for
> this other side and the rest of my small network should be the same:
>
> 1) Does a firewall act like a gateway (TCP router)? Can I put a 192.168
> IP
> address at the other side for example?
>
Firewalls do normally act as gateways, either on the network level or on the
application level. You can use RFC 1918 addresses on your internal network.
To be able to access the Internet, however, you need to perform NAT (network
address translation) somewhere in the firewall system or use proxies
(application level gateways).
> 2) If (1) is possible, are there any advantages in putting "real, valid"
> IP
> addresses on the internal side and the rest of the network? What's the
> usual practice for IP addressing in such a scenario?
>
Other than they cost you money, there aren't many disadvantages. You
shouldn't use non-RFC 1918 addresses that you haven't registered, because if
you do goof somewhere and packets from you get onto the Internet, the
organisation that's registered those addresses will receive the reply
packets, which they probably won't exacty appreciate.
> 3) If I want to use NAT, should I use it on the firewall box or somewhere
> else on the network?
>
Depends entirely on your goal. It is rather common to do NAT on the
firewall, but by no means a requirement.
Regards
Tobias Reckhard
secunet
Security Networks AG Tel : +49(6196)95888-42
Mergenthalerallee 77 Fax : +49(6196)95888-88
D-65760 Eschborn E-Mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
