static routing problem on dual-homed firewall

static routing problem on dual-homed firewall

Post by Terry M. Tompkin » Tue, 28 Jul 1998 04:00:00



We are using RedHat Linux 5.0 on an Intel box as a dual-homed firewall.
The machine has one network card connected to our internal network, and
the other connected to a cable modem that connects us to the Net.  The
server is running the latest version of socks5, and the PC's on our
internal network are running sockscap32.
Everything had been working fine, but sometime since the server was last
rebooted (2 months ago) our static routing table got changed.  (I
suspect that one of our power users ran the netcfg utility and
inadvertantly caused /etc/sysconfig files to be modified.)  Here's what
happens:  machines on the internal network can access the Linux box.
These same machines can access the outside world through the linux box
using sockscap32/socks5.  The linux box can ping machines on the
internal network and the Internet.  The problem is the linux box cannot
access ITSELF.  If you are logged into the server, and you attempt to
access the server itself with any standard network services (ie. ping,
telnet, ftp, etc.) you get "Network unreachable" errors.  The real
problem with this weirdness is that if you try to access the pop3/http
services on the linux box from the internal network using socksified
applications, the access attempts fail, since the request goes from the
PC to socks5 on the server, which then tries to direct the request to
the server itself, and poof - Network unreachable.  I'm sure it's
related to the fact that there are two network cards in the machine (and
thus multiple interfaces).  BTW packet forwarding is disabled (a
requirement by our network's ISP).  Everything had been working before
we rebooted the machine and the changes to networking files kicked in.
Here is our /etc/sysconfig/static-routes file with IP's changed to
words:

eth0 net 0.0.0.0 netmask 255.255.255.0 gw EXTERNALROUTER
eth0 net EXTERNALNET netmask 255.255.255.0 gw EXTERNALROUTER
eth1 net INTERNALNET netmask 255.255.255.0 gw INTERNALROUTER
eth1 net SISTERNET netmask 255.255.255.0 gw INTERNALROUTER
eth1 net 0.0.0.0 netmask 255.255.255.0 gw EXTERNALROUTER

"eth0" is the NIC that is connected to our cable modem to provide the
Internet connection.  "eth1" is connected to the internal network.
SISTERNET is a second subnet that we are connected to with a T1.  I know
there's probably a dumb mistake in the static-routes file, and if
someone could enlighten me I'd appreciate it.

-Terry

 
 
 

1. Benefits of dual-homed firewall for home network?

I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I
can take advantage of the improved packet filtering.  The existing
server uses a fairly standard setup: Dialup ISP, IPCHAINS firewall
from Robert Ziegler's book, Internet sharing among Windows boxes, file
sharing with Samba, Setiathome, not much else.

My security books (Ziegler, Toxen) tell me that the firewall shouldn't
be on the same box as Samba and other important stuff.  Okay, I have
an old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on,
and I could use that as a separate firewall box.

Is my understanding of the physical interface correct?
* Modem on serial port to the Internet.
* Ethernet card with "null hub" (reverse) cable to eth1 on the main
server.
* eth0 on the main server to the home network switch.
* Different networks for the firewall box and the main server (e.g.,
192.168.1.1 for the server and 192.168.2.1 for the firewall).

If this is correct, what does it buy me?  I assume the separate
networks improve security, but I'm lost beyond that.  All the diagrams
I've seen for a DMZ show Web servers and stuff off to the side between
the firewall and the rest of the LAN, but this doesn't really apply to
my setup.

Is there any benefit to installing a second machine as a standalone
firewall, or should I just continue with my current setup where the
firewall is on the main server?

TIA for any advice.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

2. D-Link 220?

3. Dual-homed with static-IP ISDN and dyn-IP DSL

4. NEED HELP. must get card to work

5. Dual-homed hosts and my firewall...ugh.

6. TELNET problem

7. dual-homed routing: DSL + backup modem interfaces?

8. using <Limit> versus <LimitExcept> in .htaccess

9. Routing on a dual-homed pc

10. Routing Dual-Homed Network to Share Network Resources

11. Dual ethernet routing/firewall problem

12. Routing problems - with static routes

13. Problems with Dual-homed DE500 and RH6.0