[sclug] Linux Firewalls and ADSL

Steve steve at noxowls.com
Wed Jun 9 16:15:16 UTC 2004 

Many thanks to everyone who replied to my email regarding Linux Firewalls
and ADSL.  The replies were very helpful and there are obviously some very
skilled people on this list server.

FYI I have purchased a BeWAN PCI card and I intend to build an IPCop
firewall. I think this will suit my needs for the moment.

Slightly off topic since it is not truly Linux related but perhaps of
interest:

The reason I wanted to build this firewall was because I have moved from
dynamic addressing to static addressing and I need to host to services.  My
original configuration had a dlink DSL300G+ ADSL bridge connected to a basic
IP router that NATted a set of internal addresses.  This spoofed the DHCP
request, handing the IP address received to the connected router.  The DSL
connection is of the BT Business 500 flavour, and the settings on the
DSL300G+ were set for PPPoA, VCMUX, CHAP.

The problem I was having was that this setting on the dlink bridge (PPPoA)
did not allow me to set my fixed IP address.  Instead it always obtained a
dynamic address from BT that was not the same as the static IP address I was
assigned which it then tried to bind to the connected router.  I noted from
a reference given in this thread that the DSL300G+ has been used for static
addressing on a smoothwall firewall successfully.  So after some messing
around (and discovering that the DSL300G+ can be hacked... telnet to it and
type "private" as the password - there is no username and see all the
wonderful commands you can try at the CLI) I changed the settings in the
dlink bridge to RFC1483 (IP encapsulation over ATM).  Then after an upgrade
on the router I discovered that the router supports PPPoE.  So I set up
PPPoE on the IP router and a static IP address + NATting.  This works.  BT
tell me that they do not support PPPoE so I figure the RFC1483 bridge is
translating to PPPoA by altering the encapsulation.  However I need to
firewall the connection which is where IPCop will come in.

In the end I guess I could have gone without buying the PCI ADSL card
provided IPCop supports PPPoE.  I imagine that my dlink DSL300g+ would be
able to bind to a network card on the red zone on the IPCop firewall.
However I suspect that it will be easy to setup a three zone  firewall with
IPCop, two network cards and one BeWAN adsl card so that I can run the
webservers in a DMZ.

Once again.  Many thanks to everyone who helped out.

Kind Regards
Steve

More information about the Sclug mailing list