> Sound OK so far? Yup, same setup I'm using (kinda). Works out very well.
> Next steps I think are figuring out how to provide DHCP > to both internal subnets from the same Gentoo box, and > what gateway address(es) the clients should use. The gentoo box is the gateway. Assuming it is 192.168.{0,1}.1, that would be the address to feed to the internal network boxen. DHCP is easily configured to serve based upon the card, you just need to dig into the config file to get it set up. Don't forget to add iptables rules to block DHCP traffic coming or going on the card connected to the network; you don't want to offer DHCP to anyone outside of your internal network. Along with DHCP you might want to add a caching DNS proxy on the gateway box. This will simplify the network settings of the internal systems (everything network-related would point to the gateway). > Finally, I need to be able to do port-forwarding from the > outside to a specific host on one of the internal subnets. > Can I do that? Yes, it's all done via iptables. You'll need to chain it up; the cable modem forwards to the firewall which forwards to the gentoo box which forwards to the specific host. You'll have to get all of the DNAT stuff right along the way. > One quandary I have is regarding the hardware firewall. We have > money invested in it, but does it buy me anything now that we are > creating the 2 separate subnets? Should I just sell it and let > the Gentoo box be the firewall as well? As one poster said it will offer another layer of protection, but... Personally I found it unwieldy to maintain iptables rules in such a fashion. If traffic can't get to/from a destination you'll have like 5 points of failure: the local box, the switch, the gentoo box, the firewall, and finally the cable modem. And with the correct iptables rules in place your gentoo box will be just as secure as the firewall appliance. It also offers you the opportunity to see all incoming traffic, not just the traffic the firewall appliance allows. So, for example, I have the ssh port open on the gentoo box but it is basically a honey pot; folks trying to connect there get automatically added to the blacklist and traffic is blocked from them permanently. I'm not sure how feature-full your firewall appliance is, but the ones that I was using had limited port forwarding capabilities (10 to be exact). Once I wanted to start hosting basic services, I quickly consumed those ports (imap, pop3, ssh, ident, smtp, ftp, http/s, ...). This however might not be a problem for you. -- gentoo-user@gentoo.org mailing list