Firewall - DMZ, LAN, INTERNET

bkelsay at comcast.net bkelsay at comcast.net
Sat Jul 6 02:16:02 CDT 2002 

Well, this answer will take a few minutes.
I can't give you the scripting without some memory refreshing, which you can
get from the books and howtos, but I can tell you how it works.  Internet
connection in and out on Nic 1 to router, Nic 2 connects your router to the
internal network, Nic 3 acts as a Bridge and can segment traffic to another
part of your network (another building, separate division, or DMZ).  All of
this is in your diagram.  As a bridge, Nic 3 and the router sends traffic to
the DMZ (if you are running web and FTP servers, and I guess mail also)
there the traffic can retrieve webpages and other info that is not trusted
on the network.  If running in bridge mode, it is likely that you have heavy
traffic on your network and wish to segment it.  You may also wish to keep
seperate corporate dividing lines in place as I said before.

The firewall I have the most experience with is Freesco, which I think
started out being based on LRP (Linux Router Project).  www.freesco.org
In the configuration mode you can select bridge mode and set up the third
nic.  Under Freesco, if using ISA nics you must set each to a separate IRQ
and I/O address.  With most brands (I'm most familiar w/ 3Com) you boot with
a DOS boot disk and just the one ISA nic in the machine and you can
configure it with a DOS based configuration program from the NIC
manufacturer (3Com has 3c50xcfg.exe).  Then you put a different one in the
machine and configure it (one of the cards can be left at the default
value).  Write down the parameters of each card and then you will have the
info you need when you get to Linux.  If you use PCI NICs then they may work
as plug n play (or Plug n Pray as I've heard it called).  I currently use
one ISA 3c509-TPO and one PCI 3c905.  That's what I had and it's been up for
a couple of years now.

Traffic from both parts of the internal network should be NATted, I don't
see why it wouldn't.  The internet sees one IP and port 80 gets redirected
to whichever internal IP you set, SMTP goes to whichever internal IP you
set, and the same for FTP and other services or ports.  One difference
between a 2 and a 3 NIC setup is that you could have 192.168.0.x network on
one nic and I don't think you could repeat the same scheme on NIC 3.  I
think it would be easier however and smarter if you used a different
numbering scheme such as 10.0.0.x or 192.168.1.x on NIC 3.  That would
definitely save problems in routing rules.  You could also reserve some
range of addresses from the 192.168.0.x sebnet to be used on NIC3 network.
Such as 192.168.0.50 - 192.168.0.60 to be used as static internal IPs for
servers.

Freesco and other prebuilt firewalls run through a setup script and ask if
you want to open port 80 and which IP to point to as well as the other
services.  They also ask for a range of IPs to allow on each of the internal
networks and if you want DHCP.  Freesco does DHCP too.  I think I have
192.168.0.2 - 192.168.0.25 for the internal network on DHCP and 26-50 as
available static IPs, 192.168.0.1 is the Gateway address of NIC 2.  All the
config scripts (questions) do is put the info you feed them into the right
config file or firewall rule.  IPtables or IP chains is able to handle the
various NICs by their IP address, hence the Gateway address.  Traffic bound
for IPs in the 192.168.0.2 - .25 range, as in my example goes to NIC 2, and
traffic bound for or requested by an IP at 10.0.0.5 goes through NIC 3.  I
believe that Freesco differentiates between bridge mode and DMZ, but I would
have to reboot the firewall to check.

There was a good series of firewall articles in Linux Journal recently, some
of the IPchains stuff went way over my head though.  www.linuxjournal.com
http://www.linuxjournal.com/article.php?sid=3546
http://www.samag.com/documents/s=1155/sam0101i/0101i.htm
or search www.google.com for "linux firewall" and you'll get plenty.

Brian Kelsay

----- Original Message -----
From: "jose sanchez" <j_r_sanchez at yahoo.com>
To: "KC Linux" <kclug at kclug.org>
Sent: Thursday, July 04, 2002 3:35 PM
Subject: Firewall - DMZ, LAN, INTERNET

> Hello:
>
> I have planned to build a Linux firewall and need your
> assistance:
>
> INTERNET -------- FIREWALL --------- DMZ
>                      |
>                      |
>                      |
>                      |
>                     LAN
>
>
> I was reading "Linux Firewall" book and the author
> doesn't go over a firewall script with three NICs.
> Other than the size of the script, how would a three
> NIC firewall differs from a two NIC? How does iptables
> handles it? Can traffic from the LAN can still be
> NATed?
>
> I would appreciate some hints and/or techniques on how
> to build such firewall.
>
> Thank you in advance.

More information about the Kclug mailing list