Colleagues-
I am in the process of securing a network that currently is wide open.
There are several publicly addressable subnets connected via a Cisco router
which is in turn connected to another router which is where we get our
Internet access (border router). I intend to physically place a firewall
machine between the internal router and the border router. Some addresses
on the network must remain publicly addressable, primarily for services
from an ASP we use. All of the information I have found indicates that in
order for a Linux/ BSD machine to act as a stateful firewall (or any kind
of firewall for that matter), it must also be doing NAT translation. That
intuitively seems wrong, and would make this sort of configuration unusable
to me. It seems that a netfilter configuration should be able to do this
without doing the NAT translation. Is all the documentation simply written
assuming you need NAT as well, or is using it actually not avoidable? Based
on my simple explanation of the configuration, do any of you have
suggestions for firewall placement that may be better? Ideally, I would
purchase the firewall addon software for the internal Cisco router, but it
is too costly for my budget.
-Regards-
-Q-
