> Sound OK so far?
Yup, same setup I'm using (kinda). Works out very well.
> Next steps I think are figuring out how to provide DHCP
> to both internal subnets from the same Gentoo box, and
> what gateway address(es) the clients should use.
The gentoo box is the gateway. Assuming it is 192.168.{0,1}.1,
that would be the address to feed to the internal network boxen.
DHCP is easily configured to serve based upon the card, you just
need to dig into the config file to get it set up. Don't forget
to add iptables rules to block DHCP traffic coming or going on
the card connected to the network; you don't want to offer DHCP
to anyone outside of your internal network.
Along with DHCP you might want to add a caching DNS proxy on the
gateway box. This will simplify the network settings of the
internal systems (everything network-related would point to the
gateway).
> Finally, I need to be able to do port-forwarding from the
> outside to a specific host on one of the internal subnets.
> Can I do that?
Yes, it's all done via iptables. You'll need to chain it up; the
cable modem forwards to the firewall which forwards to the gentoo
box which forwards to the specific host. You'll have to get all
of the DNAT stuff right along the way.
> One quandary I have is regarding the hardware firewall. We have
> money invested in it, but does it buy me anything now that we are
> creating the 2 separate subnets? Should I just sell it and let
> the Gentoo box be the firewall as well?
As one poster said it will offer another layer of protection, but...
Personally I found it unwieldy to maintain iptables rules in such a
fashion. If traffic can't get to/from a destination you'll have like
5 points of failure: the local box, the switch, the gentoo box, the
firewall, and finally the cable modem.
And with the correct iptables rules in place your gentoo box will
be just as secure as the firewall appliance. It also offers you the
opportunity to see all incoming traffic, not just the traffic the
firewall appliance allows. So, for example, I have the ssh port open
on the gentoo box but it is basically a honey pot; folks trying to
connect there get automatically added to the blacklist and traffic
is blocked from them permanently.
I'm not sure how feature-full your firewall appliance is, but the ones
that I was using had limited port forwarding capabilities (10 to be
exact). Once I wanted to start hosting basic services, I quickly
consumed those ports (imap, pop3, ssh, ident, smtp, ftp, http/s, ...).
This however might not be a problem for you.
--
gentoo-user@gentoo.org mailing list
