firewall ??
jludwig
wralphie at comcast.net
Thu Jul 8 19:55:28 UTC 2004
On Thu, 2004-07-08 at 14:39, Matt Morgan wrote:
> On 07/08/2004 02:12 PM, Bobby Knueven wrote:
>
> > Still a little confused on firewalls. Here's my situation (more detail
> > this time).
> >
> > I am assigned a block of IP addresses from the Office of Information
> > Tech. at our University. Along with this block of IP's come the DNS
> > servers I have to use and the Default Gateway. Everything else, DHCP,
> > File server, webserver is up to me to provide. I need to build a
> > firewall that will allow my current block of addresses(class B), which
> > are assigned to my network from a DHCP server that will is on my
> > network to access the net while providing a secure environment. Since
> > I have a substantial amount of addresses I do not need NAT to use
> > 192's, etc... Where my confusion comes in is the fact that I am
> > already assigned a default gateway on my network. Is it possible to
> > apply a firewall with Internet connection sharing that acts as a new
> > default gateway for my internal network while the firewall would still
> > use the Default Gateway assigned to me? How would I go about sharing
> > that connection without using NAT? Or should I just build a bridging
> > firewall? I am hesitant about a bridging firewall because it seems
> > that it would need to be fairly speedy to keep up with our network
> > traffic. Any recommendations would be appreciated. Thanks.
>
> I realize this is not the answer you're seeking, exactly, but it seems
> that if you just used NAT everything would be a lot simpler. There's
> really almost no reason not to use NAT, if you have a reasonably good
> firewall (and iptables qualifies) and it's kind of easier to understand
> what's going on. And, pretty much everyone runs out of IP addresses
> faster than they expect to--NAT will protect you from that.
>
> With NAT, the internal address of the firewall is the gateway address
> for the internal workstations. So the answer to your question about the
> default gateway is "yes."
>
> So my advice is, just use NAT.
>
> As a side note, when you respond to messages on this list, please post
> your messages at the bottom of the previous message. Although it seems
> strange at first to people who are used to doing it the other way, it
> makes it a lot easier for new people to pick up the discussion in the
> middle. That happens a lot on a list of this volume.
>
> --Matt
I would second the suggestion of using NAT for all the reasons given
plus it would also make the firewall easier to configure and therefore
less prone to mistakes and holes.
--
jludwig <wralphie at comcast.net>
More information about the fedora-list
mailing list