firewall ??
Nigel Wade
nmw at ion.le.ac.uk
Mon Jul 12 08:44:26 UTC 2004
Bobby Knueven wrote:
> Still a little confused on firewalls. Here's my situation (more detail
> this time).
>
> I am assigned a block of IP addresses from the Office of Information
> Tech. at our University. Along with this block of IP's come the DNS
> servers I have to use and the Default Gateway. Everything else, DHCP,
> File server, webserver is up to me to provide. I need to build a
> firewall that will allow my current block of addresses(class B), which
> are assigned to my network from a DHCP server that will is on my network
> to access the net while providing a secure environment. Since I have a
> substantial amount of addresses I do not need NAT to use 192's, etc...
> Where my confusion comes in is the fact that I am already assigned a
> default gateway on my network. Is it possible to apply a firewall with
> Internet connection sharing that acts as a new default gateway for my
> internal network while the firewall would still use the Default Gateway
> assigned to me? How would I go about sharing that connection without
> using NAT? Or should I just build a bridging firewall? I am hesitant
> about a bridging firewall because it seems that it would need to be
> fairly speedy to keep up with our network traffic. Any recommendations
> would be appreciated. Thanks.
>
> Bobby Knueven
>
>
I'm presuming that the current default route is part of the B subclass.
Routing would be interesting if not.
The problem you have is routing packets via your firewall from one part of
the B network to the other, since the firewall will effectively segment the
network.
As I see it you have 2 choices. The first is to build a bridging firewall
(this is the choice we took), which slots transparently between your hosts
and the default router. There are no changes necessary to any clients, fixed
IPs can remain the same, they can use the same default route etc.
The second choice would be to sub-class your network with the current
default router in one segment and have the firewall acting as a router
between the 2 segments. The external interface of the firewall would need to
be in the same subnet as your current router. All hosts would need to change
their default route to the firewall. If the current default router is not in
a convenient location in the IP sequence you may not be able to subnet so
that only the router and firewall external IP are in the same subnet,
loosing a large section of your B class network. If you can subnet, and all
clients use DHCP to set the default route it's probably the easiest choice.
The reason we chose to use a bridging firewall was that our IPs are
statically set (as is the default route), the router wasn't conveniently
placed in the address space, and we don't have control over its IP number.
You don't need to be concerned over the CPU requirment of a bridging
firewall. It has very little overhead. Our firewall runs on (IIRC) a 2.2GHz
P4. The maximum CPU load I've managed to attain is 8%. A single FTP transfer
using 100% bandwidth of a 100MB network takes up about 3-4%, 2 simultaneous
transfers take about 5-6% and 3 use up to 8%. Beyond this the load on the
firewall doesn't increase.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the fedora-list
mailing list