Re: [leaf-user] many non contiguous subnets on the same interface
Lynn maybe my drawing was not completely clear. The outer firewall is NATting whereas the inner is routing to keep the DMZ and the secure network apart. We were planning to provide server hosting for remote networks but the design included dual hosted servers with a SAN device on the seconf dentwork. I thrashed this for secuirity reasons because any attacker on the remote parts of the net would automatically be invited to the sacred shrine. Anyway, last office day today, tomorrow sailing along the Lycian coast. Hope to hear from all of you in 2 weeks time And Thanks Erich At 19:40 23.10.2003, Lynn Avants wrote: On Thursday 23 October 2003 02:50 am, Erich Titl wrote: [...] There is no NAT on the inner firewall, but then there is no NETBIOS traffic either through the firewall. Hmmm... so it is running proxy-arp on the inner firewall (assuming this is the only way you can filter w/o routing). I know that routing is going to be tricky, we will probably drop the extrudet subnet idea as it is too big a security risk to have a subnet extended right into the heart of our secure zone. Yeah, if the firewall is answering a /16, then it is likely not the best idea to keep them on the same subnet. It might be a better idea to proxy-arp the DMZ and route/NAT the internal net which keeps the DMZ on a seperate subnet behind the firewall. -- THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] many non contiguous subnets on the same interface
On Wednesday 22 October 2003 02:26 am, Erich Titl wrote: Hi I am deploying Bering 1.2 systems as firewalls/VPN tunnel endpoints to build what they call extruded subnets in freeswan jargon Here a little bit of ASCII art client net 10.230.60.0/24 (for historical reasons) ¦ 10.230.60.1 Bering / customer VPN endpoint xx.xx.xx.xx (any old public address) internet xx.xx.xx.xx (any old public address) Bering / outer firewall / NAT / VPN endpoint 192.168.180.1 DMZ 192.168.180.0/23 192.168.180.2 Bering / inner firewall / 2 or 3 NICs 192.168.52.1- | internal subnet | 192.168.52.0/22 Your largest problem is going to be routing unless the router is on a 192.168.0.0/16 subnet. Your NetBIOS traffic can't be routed on a /24 or through the second stage of NAT (between the DMZ/internal net) without NAT-transversal. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] many non contiguous subnets on the same interface
Lynn At 23:56 22.10.2003 -0500, Lynn Avants wrote: On Wednesday 22 October 2003 02:26 am, Erich Titl wrote: Hi I am deploying Bering 1.2 systems as firewalls/VPN tunnel endpoints to build what they call extruded subnets in freeswan jargon Here a little bit of ASCII art client net 10.230.60.0/24 (for historical reasons) ¦ 10.230.60.1 Bering / customer VPN endpoint xx.xx.xx.xx (any old public address) internet xx.xx.xx.xx (any old public address) Bering / outer firewall / NAT / VPN endpoint 192.168.180.1 DMZ 192.168.180.0/23 192.168.180.2 Bering / inner firewall / 2 or 3 NICs 192.168.52.1- | internal subnet | 192.168.52.0/22 Your largest problem is going to be routing unless the router is on a 192.168.0.0/16 subnet. Your NetBIOS traffic can't be routed on a /24 or through the second stage of NAT (between the DMZ/internal net) without NAT-transversal. There is no NAT on the inner firewall, but then there is no NETBIOS traffic either through the firewall. I know that routing is going to be tricky, we will probably drop the extrudet subnet idea as it is too big a security risk to have a subnet extended right into the heart of our secure zone. cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] many non contiguous subnets on the same interface
On Thursday 23 October 2003 02:50 am, Erich Titl wrote: [...] There is no NAT on the inner firewall, but then there is no NETBIOS traffic either through the firewall. Hmmm... so it is running proxy-arp on the inner firewall (assuming this is the only way you can filter w/o routing). I know that routing is going to be tricky, we will probably drop the extrudet subnet idea as it is too big a security risk to have a subnet extended right into the heart of our secure zone. Yeah, if the firewall is answering a /16, then it is likely not the best idea to keep them on the same subnet. It might be a better idea to proxy-arp the DMZ and route/NAT the internal net which keeps the DMZ on a seperate subnet behind the firewall. -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] many non contiguous subnets on the same interface
Hi I am deploying Bering 1.2 systems as firewalls/VPN tunnel endpoints to build what they call extruded subnets in freeswan jargon Here a little bit of ASCII art client net 10.230.60.0/24 (for historical reasons) ¦ 10.230.60.1 Bering / customer VPN endpoint xx.xx.xx.xx (any old public address) | internet | xx.xx.xx.xx (any old public address) Bering / outer firewall / NAT / VPN endpoint 192.168.180.1 | DMZ 192.168.180.0/23 | 192.168.180.2 Bering / inner firewall / 2 or 3 NICs 192.168.52.1- | | | internal subnet | 192.168.52.0/22 | many extruded subnets in the 10.230.xx.xx range The idea is to route the path to the various extruded subnets from the tunnel endpoint on the outer firewall through the DMZ wire to the inner firewall and then to the respecive subnet. - I probably need to assign ip aliases for each subnet to the NIC connected to the extruded subnets. - I need to add routes for each subnet on the outer and the inner firewall Is there a canonical way to add many routes and many ip aliases to such a box? Does this make sense at all? Thanks for comments Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html