Re: What should I use?

To: Andreas Palsson <did@algonet.se>, debian-firewall@lists.debian.org
Subject: Re: What should I use?
From: Ray Olszewski <ray@comarre.com>
Date: Wed, 23 Aug 2000 09:22:43 -0700
Message-id: <2.2.32.20000823162243.00e82f70@[192.168.1.23]>

It is difficult to suggest a solution without knowing what the problem is.

There are two basic reasons you subnetting your address space:

        1. To increase effective bandwidth: by separating the LAN
                into 2 or more Ethernets, you reduce contention
                and collisions. There are other ways to increase
                effective bandwidth, though - actually increasing it
                (from 10 mbps to 100) is one, and using switches
                instead of hubs is another.

        2. To split the LAN into two or more sections with different
                security standards. An example might be a school,
                where the admin functions, containing a lot of 
                confidential data, are protected more than the
                academic functions (indeed, are protected from
                users *on* the academic side).

In either case above, you'd put a router between the two network segments.
In the second (but probablt not the first, that router would also be a
firewall. If you do want to subnet, your existing addresses are convenient
in that you can split off .0-.31 and still use your present mail server and
router addresses (if the mail server were .32, for example, you'd have a
problem with that).

If you do subnet, you do need to deal with the fact that the Cisco won't
know how to find the addresses you place on the other side of the router
from it. The usual solutions are either to modify the routing table in the
Cisco (I don't know how; ask a Cisco specialist) or to have the subnet
router proxy-arp the addresses behind it.

But since you talk about a Linux router with 3 NICs, you may have in mind
the idea of firewalling your entire address space and also dividing it in
two. This causes a slight problem in subnetting, since the Cisco is in the
address space (or are you proposing the *replace* the Cisco router with a
Linux router/firewall?).

Without a better understanding of your goals, I don't think I can be more
specific than this.

At 08:42 AM 8/23/00 +0200, Andreas Palsson wrote:
>Hello.
>
>I have been given the task to setup a firewall, but I'm no expert so I
>have to ask a few questions.
>
>I have a Debian box (P166/64) with 3 NIC's (3Com).
>I have an IP-range from .0 to .63.
>A Cisco router is the current gateway on .62.
>A mail/dns-server is placed on .33.
>
>
>What is a good solution with these tools?
>I've been reading the FW-howto and I think a filtering firewall should do,
>and maybe splitting the network into a couple of zones.

--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: What should I use?
  - From: andreas palsson <did@algonet.se>

Prev by Date: RE: Potato, DHCP and IPMASQ
Next by Date: Re: What should I use?
Previous by thread: Re: What should I use?
Next by thread: Re: What should I use?
Index(es):
- Date
- Thread