RE: [leaf-user] Dachstein as border_router? (public ip addresses etc)

Tue, 27 Apr 2004 04:27:25 -0700 

Thanks for the quick reply! Some more stuff below...

> > * what is the best way/distro to setup a LEAF box as this 
> kind of border
> > router? (I noticed references to border_router options on 
> the dachstain
> > network.conf documentation page, but haven't been able to find any
> > substantial documentation about setting one up.)
> 
> You can use Dachstein (2.2 kernel & ipchains) or Bering (2.4 
> kernel and 
> iptables) to do this.  Bering with iptables gets you a stateful 
> firewall, while Dachstein/ipchains is just a packet filtering 
> firewall.
> 
> If you use Dachstein, you can use either the border_router 
> options (not 
> a lot of documentation as that's something inherited from Matthew 
> Grant's Materhorn image that I never messed with much), or a 
> "routed" DMZ.

I have tried dachstein, and it works, but I think that was just setting
it up as a straight router, basicly just forwarding everything through.
Maybe it needs to be more secure than that, I dunno. Is there any
documentation you can point me to about the 'border_router' option?


> If you use Bering, the Shorewall configruation is really flexible and 
> can easily do what you want.

I will have to have look into that some more.

 
> > * how do I also set up the LEAF box so that it can receive 
> VPN server
> > requests on it's IP address (addrISP), but forward those 
> requests to be
> > served by another firewall server connected to the internal lan?
> 
> Why do you need to do this?  The server connected to the internal lan 
> also has a public IP, doesn't it (addrPUBB in the diagram 
> below)?  Why 
> make life harder by natting only IPSec traffic from Server1, but not 
> other traffic (tricky to setup and debug properly)?

Basicly because if they VPN through the router, and the client is with
the same ISP, it is 'free' bandwidth, and doesn't come off monthly
quotas, or get charged as access. However, if they VPN to our public
network, I'm pretty sure the ISP will think it is an external address
and count traffic toward quotas (they probably shouldn't, but that is
way it is...). Does that make sense?

Craig.


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to