/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
Julian Eduardo de Anquin <[EMAIL PROTECTED]> wrote: > > You are right, all the Computers share the same Switch, we have 4 > switch in cascade and the internet connection is on one of the > switchs. You think that is the problem? In such a configuration, it seems possible that the switch might be "too smart", and maybe it learns that another way to reach the firewall's interface is by routing traffic through its other interface. Then the switch might do you a disservice by sending traffic the wrong way. Another issue to consider is, what if your private lan users learn the outside gateway that the firewall uses? Can they simply bypass your firewall by routing around it? Since they are directly connected to the internet connection, they could! Furthermore, can the outside internet reach your private lan and cause trouble for you? There is no physical barrier between them and your users; they are all on the same switched lan! What you need to do is make it physically impossible for packets to move from one network (private lan) to another (internet) without passing through the firewall. If there is another path, then some clever (or stupid, or misguided) computer or user will find it and try to use it. If your switch is smart enough that it has VLAN capability, then you won't have to move any cables around. Simply create two VLAN's, one called Internet and another called Private. Make sure ports connected to private lan members (and the firewall's private interface) are set to Private VLAN. Make sure that the internet connection and the firewall's external interface are the only members of the Internet VLAN. If your switch is not that configurable to have VLAN capability, then you can simply use a cross cable instead of a switch. If your internet connection should ONLY ever connect with your firewall, and everyone else must go through the firewall to use it, the simplest scheme is that you use a direct cable connect from internet to firewall, without going through the switch at all. You might need a "cross" cable to do this, but it will prevent any other pathways to be possible! -- [EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience. sometimes known as David DeSimone || Experience comes from bad judgment." _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
