[Gllug] Routing and packetfiltering public IPs

Bruce Richardson itsbruce at uklinux.net
Sat Nov 26 12:05:33 UTC 2005 

On Sat, Nov 26, 2005 at 04:49:01AM +0000, Dylan wrote:
> Hi All, 
> 
> I currently run a network comprising several desktop machines, a server 
> and a gateway connected to the wild by ADSL. The fixed public IP is 
> passed to the gateway's external interface by the ADSL router and the 
> gateway does packet filtering, NAT, etc... The ADSL router will only 
> connect to one machine when it is in bridging mode.

My experience of SOHO routers is that they are unreliable when doing
bridging and similar tricks.  If yours is reliable then great but I
would be tempted to have the router act quite simply, having the ip
address for itself.  I would then put a second NIC (and possibly a
third) into the gatyeway box and configure it as a firewalling
bridge, with one nic connected to the adsl box and the other NIC(s)
connected to the other boxes on your network via a hub/switch.

There are advantages to that setup:

	1.  I trust the linux bridging code more than the firmware in
	your SOHO router.
	2.  The gateway box no longer needs an ip address on your public
	netblock (doesn't need an ip address at all, really).  It's a
	security win when your gateway isn't visible.  (Of course, your
	adsl router is now visible but you may be able to close down
	any admin interface other than the console connection, if it's
	decent)

If you go for three nics then you can put machines with public addresses
on one segment and NATted machines on another and gain extra security
because compromise of the public machines is then less dangerous to the
NATted ones.  (Actually, if you just go for two nics you can still
achive this but it requires vlans)

If you go for two nics (and no vlans) you can still have some security
on your internal network by making sure that your boxes are connecting
via a switch rather than a hub and not having a route for the private
subnet on any of the public boxes.  That would force someone who had
compromised one of your public-ip boxes to do a little more work before
they found your non-public ones.

With an invisible firewalling bridge, you only have to configure a
firewall in one place.  It really isn't that complex any more, either.

-- 
Bruce

A problem shared brings the consolation that someone else is now
feeling as miserable as you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051126/575e4c4e/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list