Firewall or IPMasq or Both: Need Recommendation

Firewall or IPMasq or Both: Need Recommendation

Post by Matt Kresse » Sat, 23 Jan 1999 04:00:00




> This may not be the most appropriate group to post this question, but I am
> sure enough list members have the experience to point me in the right
> direction.

> I have a small ISP that I need to make some changes and I am not sure that the
> FWTK is the best/correct approach.  First let me say that my main problems is
> that I do not have enough IP addresses from my provider. I need more.  I
> thought be using FWTK that would be the best solution. Now I am not so sure...

> I am concerned about security, although it is not the main reason for
> considering FWTK; shortage of IP's are, BUT I am planning to change my
> provider and I do NOT want to have to have my clients re-ip when I change...
> I have looked at IPmasqurade and that looks fine except it does not support
> inbound connections (right?)

> Anyway, If somebody can give me some guidance on which way to go I would
> greatly appreciate it. I need basic services to work inbound and outbound
> with minimum customization, if at all possible.  I have read the RTFM until I
> am blue in the face and am now totally confused.  I technically can implement
> most of the options, but which one is the most appropriate has got me
> baffled!!!

That other reply was a moron.  OK...

IP masquerading will make many hosts appear as one host to your provider
which is what you want.  Internally, you can use whatever configuration
you want, but most people use 192.168.x.x so it doesn't interfere with
real IPs.  Your customers need static IPs?  Well firstly your clients
are probably getting different IPs when they connect each time,
correct?  If so, then how will changing ISPs affect them?  True, you can
not connect to the internal machines from the outside with the
masquerading firewall, but would you want to?  Your customers will still
be able to do all the things they like to do like FTP, telnet, WWW,
RealAudio, etc.  Just make sure that you have the appropriate
masquerading modules in the kernel and you should be OK.  More details
may help as well.

HTH,
Matt

--

+---------  Northrop Grumman Corporation, Bethpage, NY ---------+
+---------  TEL: (516) 346-9101 FAX: (516) 346-9740 ------------+

 
 
 

Firewall or IPMasq or Both: Need Recommendation

Post by Mike » Sat, 23 Jan 1999 04:00:00




>IP masquerading will make many hosts appear as one host to your provider
>which is what you want.  Internally, you can use whatever configuration
>you want, but most people use 192.168.x.x so it doesn't interfere with
>real IPs.  Your customers need static IPs?  Well firstly your clients
>are probably getting different IPs when they connect each time,
>correct?  If so, then how will changing ISPs affect them?  True, you can
>not connect to the internal machines from the outside with the
>masquerading firewall, but would you want to?  Your customers will still
>be able to do all the things they like to do like FTP, telnet, WWW,
>RealAudio, etc.  Just make sure that you have the appropriate
>masquerading modules in the kernel and you should be OK.  More details
>may help as well.

I also am hosting www and mail via two servers.  Must they be outside the
firewall???  You are correct in assuming they get dynamic IP assigned by my
term server.  I also understand that moving my ISP does not affect internal
hosts/clients...

What are my options for the www and mail and dns client???

Thanks very much!!!

Mike

 
 
 

Firewall or IPMasq or Both: Need Recommendation

Post by Dan Kege » Sun, 24 Jan 1999 04:00:00


Mike schrieb:

Quote:> I also am hosting www and mail via two servers.  Must they be outside the
> firewall???  You are correct in assuming they get dynamic IP assigned by my
> term server.  I also understand that moving my ISP does not affect internal
> hosts/clients...

> What are my options for the www and mail and dns client???

Put the servers *outside* the Masq host.
Put your customers *inside* the Masq host.

Be sure to use the latest Masq, else your customers won't be
able to play some online games.  The Masq in kernel 2.2.0-final is fine.
Even with the lastest Masq, some games and programs like ICQ will
give your customers fits.
- Dan
--
Speaking only for myself, not for my employer

 
 
 

Firewall or IPMasq or Both: Need Recommendation

Post by Malwar » Sun, 24 Jan 1999 04:00:00


Hi Dan,


> Put the servers *outside* the Masq host.
> Put your customers *inside* the Masq host.

It might cause a lot of trouble if the customers can not get there
packets through the maquerading. It depends on the contract but they
maybe can sue one for.

Malware

 
 
 

Firewall or IPMasq or Both: Need Recommendation

Post by Steven J. Hathawa » Sun, 24 Jan 1999 04:00:00


Basic Network Diagram

   Local         Masqerade                  Remote
   Network       Firewall                   Network
                 NAT Relay
                 +-------+
    Wkstn A ---->|       |                  |
    Wkstn B ---->|network|                  |Network
    Wkstn C ---->|server |---(connection)---|Service
    Wkstn D ---->|       |                  |Provider
                 +-------+                  |

If the "network server" is a Masquerade server, then all
workstations on the local network will look to the Network
Service Provider as coming from one IP address, that of the
Masquerade server.

If the "network server" is a Firewall without address
translation, then the firewall acts as a protocol filtering
router, allowing only specific traffic thru.  The Network
Service Provider needs to know the IPs of your local network
(usually by block assignment of addresses) for you local use.
This block of IP addresses is a fixed assignment that the
Network Service Provider CAN NOT USE for auto-assignment
to dial-in clients.

If the "network server" is a NAT Relay, it provides Network
Address Translation between a private address space and a
public address space.  This is useful if you wish to subscribe
to another network service provider without renumbering your
local network servers and workstations.  You should give your
local network equipment addresses in the private address space,
and let the NAT Relay change them selectively to public addresses
in the global Internet.  NAT Relay servers are often accompanied
with Firewall capabilities.  You still need a block of static
addresses assigned by your Network Service Provider for your
use.  And you NAT Relay becomes the router that your Network
Service Provider uses to gain access to selected workstations
within your local network.

The public address you assign to the Network Service Provider
side of a NAT Relay can be used by Masquerade services for those
workstations that are not mapped to a public address by the NAT Relay.

I'm not sure of the configuration requirements of all the parts,
but the capabilities of the above are available.

- Steven J. Hathaway

 
 
 

1. ipmasq: FTP and Hotline behind ipmasq firewall.

I have lots of trouble trying to put ftp and hotline servers behind a
ipmasq firewall. FTP don't work in browsers...ok I accept that. Hotline
?? There must be a workaround. While I continue to put my hair out,
anyone able to do those ??

Note: Tried redir, ipportfw...no go... :( only the www server complied.

Thanks
Regit

--

2. Printing with FreeBSD 2.1.6

3. ipmasq from firewall to firewall

4. Need Help With ISP Hookup Config

5. Need recommendation for firewall

6. Performance on 486 dx 33 (3.1) ...

7. need recommendation for firewall

8. Peru

9. Linux based Firewall. Need recommendation.

10. VPN from Win98 Client thru IPCHAINS+IPMASQ firewall

11. Linux firewall, ipmasq on a 486...

12. ipmasq'd webserver behind firewall: ipportfw only works for requests from external network

13. Debian ipmasq/firewall with a Windows client problem