[Newsgroups: header expanded to include c.o.l.n., in case anyone else wants
to chip in]
> I do intend to have both firewalls configured as if they are the only
> one, but I just wanted to let everyone know that if the filter rules
> weren't perfect on day one, it would be soon...but they network wouldn't
> be any more exposed than it is now (see far below)
(Like I used to be fairly loose about outgoing packets, but now have
tightened those down considerably... every so often, a new area in which to
restrict things comes to light.)
From the below, it looks like the new linux-or-bsd box is going to beQuote:> >It normally works that you have a LAN on e.g. eth0, using a private IP
> >range such as 10/8, and an external connection on eth1 (or ppp0 for dialup
> >PPP purposes), with real-world IP#s.
> >If you've got real-world IP#s inside the LAN, then you can forward packets.
> >If you've got private IPs, you're looking at SNAT or Masquerading outwards,
> >and optionally DNAT coming in.
> (I know this should get posted elsewhere, but let me just continue this
> thread first since someone started to address it.)
> From the diagrams below, the secondary firewall, the VPN server, and the
> mail server all have public addresses on their external NICs. I would
> like to keep that configuration. I am going to use 192.168 addresses in
> the example, but assume they are real public addresses.
> OldFirewall 192.168.1.10
> VPN Server 192.168.1.11
> Mail Server 192.168.1.12
> What would I want to do with the new linux server's NICs and do I have
> to change routing on the T1 router coming in?
inserted so that packets from the internet hit it first, ie it's the most
front-facing of the lot.
(I've labelled a couple of points of interest):Quote:> The layout I plan to setup is:
> Current Layout: Notice the three points of entry. All have pretty good
> filters, but still are risks.
> | |
> | |
> Future Layout: Three points of entry now have another level protecting
P L C
You can change the current firewall's outgoing IP# (`C'); as long as pointsQuote:> Internet<->Linux/BSD<->CurrentFirewall<->Network
> | |
> |--->VPN Server<--|
> | |
> |->Mail Fowarder<-|->Mail Server
L and C are on the same network (a pointopoint link is all that's needed),
you'll be fine, and won't have to change anything behind the current
19:12:05 up 17 days, 21:09, 13 users, load average: 0.20, 0.16, 0.14
http://piglet.is.dreaming.org |and the river flowed