Subnetting

[Charles Steinkuehler]

Lucas Peet wrote:
> Well, basically, I'm working on a triple-homed firewall.  The block of
> 'real' IP's will be for the DMZ, I'll use 10.0.0.x for the internal
> network, but I still need 2 IP's (one for the external interface, and
> one for the router) that are on a different network, so I can route
> properly between the external interface, and the DMZ.
> 
> Maybe I'm confused here - I guess I'm just trying to apply what I
> learned from my own dual homed firewall to a triple homed with a DMZ.
> 
> Maybe I just don't know enough about routing yet?  I guess I don't
> understand how I would route from eth0 to eth2 properly, when they're on
> the same network block.
> 
> Should I just ask the ISP for 2 other IP's on a different network block?
> (I *know* they have subnets that are only 2 (useful) IP's long (total of
> 4) ).

You want to use proxy-arp.  I have a /26 network from my ISP via SDSL, 
which gets split into 4 different networks with real IPs:

1) External "raw" network, connecting my firewall/router to my SDSL 
modem and the ISP.

2) DMZ network for business computers owned by the company I work for

3) DMZ network for personal server systems owned/operated by me

4) DMZ network for a "co-lo" system I put online for a friend of mine.

...unassigned IPs are "tar-pitted" by LaBrea :)

NOTE:  Public IP's can be on any of the four network segments, and as 
long as proxy-arp is enabled (and the firewall/router's routing tables 
are correct), everything will work, and all boxes will think they can 
directly talk to the entire subnet.  The benifit of seperating the 
networks with proxy-arp is you can filter the traffic as it passes 
through the firewall.  With my setup above, for example, if someone 
hacks the "co-lo" system I let my friend keep on-site, they still have 
to hack thorugh my firewall to attack any of my internal systems, so 
other than a faster link, they are at no significant advantage vs trying 
to attack from anywhere else on the internet.

In addition, there is a fifth masqueraded network for internal 
workstations that don't need public IP's.

Proxy-arp allows you to split networks however you like, with the 
advantage that you don't have to loose multiple IPs for 
network/broadcast addresses, the way you do if you have multiple 
subnets.  Also, if you're not running FreeS/WAN (ipsec package that gets 
confused if multiple interfaces have identical IPs), you can assign all 
interfaces on the firewall/router the same IP (rather than 4 seperate 
IP's, as you would otherwise need in my example above).

I do this all with my bootable CD-ROM firewall, Dachstein-CD:
http://leaf.sourceforge.net/devel/cstein/DiskImages/Dachstein-CD.htm

Although if you're starting from scratch, you might want to use the 
Bering release (2.4 kernel and the shorewall iptables firewall package):
http://leaf.sourceforge.net/mod.php?mod=userpage&menu=904&page_id=21

I haven't personally used shorewall much, but it looks like a great 
pacakge, and I think it supports proxy-arp DMZ setups out-of-the-box, as 
does Dachstein.

-- 
Charles Steinkuehler
charles at steinkuehler.net