Linux 版 (精华区)
发信人: netiscpu (说不如做), 信区: Unix
标 题: [M] 有关防火墙与路由器的问题
发信站: 紫 丁 香 (Tue Jun 9 19:05:24 1998), 转信
本文摘自Linux-Admin Mailling-List
[问题] Firewall and routing
-----BEGIN PGP SIGNED MESSAGE-----
Hi all
I'm going to (at least to try it) implement a firewall...
I have read quite white papers and docs, I have not very clear if the
following configuration is possible with ipfwadm -F
<The rest of the World> ---- <router> ---- <host a> ---- <other hosts>
The router, "host a" and "other hosts" are in the same ethernet fragment
The router (probably a Cisco 25xx) will only forward everything that
comes from "The rest of the World" to the "host a" wich has only a single
device (it isn't a dual homed host).. then the "host a" (the firewall)
will apply the input firewall rules and then forward to "other hosts"...
I'm not sure if this can works (without dual homed host)...
Does I need something like the iproute package + ipfwadm -I? to achieve
it?
Any comment will be greatly appreciated,
Ulisses
PD: where I can find info about iproute?
- -----------------------------------------------------------------------------
"Computers are useless. They can only give answers." Pablo Picasso
[回答1]
You can use this setup for outbound connections if you use IP
masquerading. If the router is set to only route packets to or from
the IP address of host A, then that is the only IP address that exists
externally.
--
Glynn Clements <glynn@sensei.co.uk>
[回答2]
Sorry... but I'm not sure If you understand my poor english
I'll reexplain
The idea is that all inbound trafic will be passed to the Linux box, this
box should filter/reject packages and if they are to other (valid) boxes
then forward it to them (thus the ipfwadm -F)
The router will/should "route" all outbound packets from any box (valid
adresses)
How to make this possible?
Anybody knows where I can find about iproute? I'm looking for something
like XIOS manual about ipfwadm...
Thanks in advance,
Ulisses
-----------------------------------------------------------------------------
"Computers are useless. They can only give answers." Pablo Picasso
[回答4]
Do you mean that the router will have the Linux box specified as the
gateway to the local LAN? If so, then there isn't anything special
that needs to be done on the Linux box, beyond enabling IP-forwarding.
The routes that it needs for itself will suffice, e.g.
route add -net 222.222.222.0
route add default gw 222.222.222.1
where 222.222.222.0 is the local LAN and 222.222.222.1 is the router.
> The router will/should "route" all outbound packets from any box (valid
> adresses)
If it knows where to send its own packets, it knows where to send
those from other hosts which happen to be forwarded to it. You just
need to specify the Linux box as the default gateway on all of the
other hosts.
--
Glynn Clements <glynn@sensei.co.uk>
[回答5]
Yes, with packet filtering
> If so, then there isn't anything special
> that needs to be done on the Linux box, beyond enabling IP-forwarding.
> The routes that it needs for itself will suffice, e.g.
>
> route add -net 222.222.222.0
> route add default gw 222.222.222.1
Oops
Another time, I think there is some confusion:
With these commands what I think you are doing is route to the
"cisco-router" packets that are sent from the LAN to the "rest of the
world", isn't it? (*)
I want to do this as well, but I want to know is If this can be made:
1) The router recieves a packet from the rest of the world, it forwards to
the Linux box (It doesn't check anything)
2) The Linux box applies the packet filtering rules and it forwards to the
rest of the LAN -- wich has real IP numbers
> > The router will/should "route" all outbound packets from any box (valid
> > adresses)
>
> If it knows where to send its own packets, it knows where to send
> those from other hosts which happen to be forwarded to it. You just
> need to specify the Linux box as the default gateway on all of the
> other hosts.
Also I think that (*) could be done by setting the gateway of the LAN
clients as the router, and the Linux should not have to work for outgoing
packets... or not?
PD: What is TOS in the Networking vocabulary?
-----------------------------------------------------------------------------
"Computers are useless. They can only give answers." Pablo Picasso
[回答6]
The first rule routes packets to the hosts on the local LAN (including
the Cisco). The second rule routes packets to everywhere else. You
need these routes regardless of how you configure the other hosts on
the network.
> I want to do this as well, but I want to know is If this can be made:
>
> 1) The router recieves a packet from the rest of the world, it forwards to
> the Linux box (It doesn't check anything)
Yes. You would use the equivalent of
route add -host 222.222.222.2 dev eth0
route add -net 222.222.222.0 gw 222.222.222.2
on the Cisco.
> 2) The Linux box applies the packet filtering rules and it forwards to the
> rest of the LAN -- wich has real IP numbers
Yes. Any packets received by the Linux box destined for another host
will pass through all 3 of the input/forwarding/output firewalls, and
then be routed according to the Linux box's routing table.
> > > The router will/should "route" all outbound packets from any box (valid
> > > adresses)
> >
> > If it knows where to send its own packets, it knows where to send
> > those from other hosts which happen to be forwarded to it. You just
> > need to specify the Linux box as the default gateway on all of the
> > other hosts.
>
> Also I think that (*) could be done by setting the gateway of the LAN
> clients as the router, and the Linux should not have to work for outgoing
> packets... or not?
If you don't want to perform any filtering on the outbound packets,
then you can just use the Cisco as the default gateway on all hosts.
--
Glynn Clements <glynn@sensei.co.uk>
[回答7]
If you are using valid ip addresses and you have only one Class C ip space
then you would need to subnet it and put 2 Lan cards in Linux. Configure
the required filtering rules on the outgoing traffic from the Users end. I
dont know any other alternative if you dont want to use the private ips.
Irfan Akber
[回答8]
Sorry... but I'm not sure If you understand my poor english
I'll reexplain
The idea is that all inbound trafic will be passed to the Linux box, this
box should filter/reject packages and if they are to other (valid) boxes
then forward it to them (thus the ipfwadm -F)
The router will/should "route" all outbound packets from any box (valid
adresses)
How to make this possible?
Anybody knows where I can find about iproute? I'm looking for something
like XIOS manual about ipfwadm...
Thanks in advance,
Ulisses
-----------------------------------------------------------------------------
"Computers are useless. They can only give answers." Pablo Picasso
[完]
--
Enjoy Linux!
-----It's FREE!-----
※ 来源:.紫 丁 香 bbs.hit.edu.cn.[FROM: mtlab.hit.edu.cn]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:2.424毫秒