firewall ??

Nigel Wade nmw at ion.le.ac.uk
Mon Jul 12 08:44:26 UTC 2004


Bobby Knueven wrote:
> Still a little confused on firewalls. Here's my situation (more detail 
> this time).
> 
> I am assigned a block of IP addresses from the Office of Information 
> Tech. at our University. Along with this block of IP's come the DNS 
> servers I have to use and the Default Gateway. Everything else, DHCP, 
> File server, webserver is up to me to provide. I need to build a 
> firewall that will allow my current block of addresses(class B), which 
> are assigned to my network from a DHCP server that will is on my network 
> to access the net while providing a secure environment. Since I have a 
> substantial amount of addresses I do not need NAT to use 192's, etc... 
> Where my confusion comes in is the fact that I am already assigned a 
> default gateway on my network. Is it possible to apply a firewall with 
> Internet connection sharing that acts as a new default gateway for my 
> internal network while the firewall would still use the Default Gateway 
> assigned to me? How would I go about sharing that connection without 
> using NAT? Or should I just build a bridging firewall? I am hesitant 
> about a bridging firewall because it seems that it would need to be 
> fairly speedy to keep up with our network traffic. Any recommendations 
> would be appreciated. Thanks.
> 
> Bobby Knueven
> 
> 

I'm presuming that the current default route is part of the B subclass. 
Routing would be interesting if not.

The problem you have is routing packets via your firewall from one part of 
the B network to the other, since the firewall will effectively segment the 
network.

As I see it you have 2 choices. The first is to build a bridging firewall 
(this is the choice we took), which slots transparently between your hosts 
and the default router. There are no changes necessary to any clients, fixed 
IPs can remain the same, they can use the same default route etc.

The second choice would be to sub-class your network with the current 
default router in one segment and have the firewall acting as a router 
between the 2 segments. The external interface of the firewall would need to 
be in the same subnet as your current router. All hosts would need to change 
their default route to the firewall. If the current default router is not in 
a convenient location in the IP sequence you may not be able to subnet so 
that only the router and firewall external IP are in the same subnet, 
loosing a large section of your B class network. If you can subnet, and all 
clients use DHCP to set the default route it's probably the easiest choice. 
The reason we chose to use a bridging firewall was that our IPs are 
statically set (as is the default route), the router wasn't conveniently 
placed in the address space, and we don't have control over its IP number.

You don't need to be concerned over the CPU requirment of a bridging 
firewall. It has very little overhead. Our firewall runs on (IIRC) a 2.2GHz 
P4. The maximum CPU load I've managed to attain is 8%. A single FTP transfer 
using 100% bandwidth of a 100MB network takes up about 3-4%, 2 simultaneous 
transfers take about 5-6% and 3 use up to 8%. Beyond this the load on the 
firewall doesn't increase.

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555





More information about the fedora-list mailing list