[Sussex] Firewall appliance recomendations

Steven Dobson steve at dobson.org
Fri Aug 11 12:40:47 UTC 2006


On Fri, 2006-08-11 at 12:36 +0100, Ronan Chilvers wrote:
> On Fri, Aug 11, 2006 at 11:04:33AM +0100, Steven Dobson wrote:
> > 
> >            +-------+                  +----------+
> >  --- RJ11 -+ Modem +------ RJ45 ------+ Firewall +--- RJ45 to LAN
> >            +-------+                  +----------+
> >      Public   192.168.1.1/24   192.168.1.2/24   192.168.2.1/24
> >        IP
> >       Addr
> 
> Yeah, but this is quite untidy don't you think? The modem has a bridge
> mode where it acts (I think) as a PPPoE concentrator so you can initiate
> your connection on it as the next hop from the firewall.  The benefit
> here is that if I had a static IP in the future I can manage that
> directly via the firewall, using the third RJ45 to create a DMZ
> (been thinking about hosting a subversion server on the end of the line
> for a couple of projects). My understanding is that using the modem in
> bridge mode puts it into layer 2(?) and it becomes a IPless data link rather
> than a transport component (sound correct?).
> 
> One little side not is that the ADSL2MUE

Okay - wrong guess. :-)

I helped a client with an ADSL router which we put into (IIRC)
"transparent bridge mode".  The ADSL router then lost it's public IP and
the firewall (not a Linux system) got it from a DHCP request broadcast
on the WAN interface.  During testing we unpluged his firewall and I
pluged in my Linux laptop and that got the public IP address - works
fine.  So as long as your ADSL router does the same thing I don't
foresee any problems.

But at home this is not my configuration.  I have the Speedtouch 510
which does allow support bridging so that both the WAN and LAN
interfaces have the same address, but that does have to be a public IP
address.  I opted for block of eight public IP addresses from my ISP.
You loose one address as the network address, and another to broadcast.
The Speedtouch takes a thrid leaving me with five useable public IP
addresses.   

When the Soekris boots the PXE BIOS uses eth0 so I use that for my LAN
(I don't want the PXE requests going anywhere else).   I bridge eth1
(WAN) and eth2 (DMZ) so the Soekris firewall only takes up one IP
address.  Shorewall supports bridging so my firewalling rules are
configured for WAN, DMZ, LAN, and (when I have the WiFi card installed)
WLAN.

It wasn't hard to set up, and now just sits there, day after day, doing
it's job.  The only thing I do is log into it occationally to update the
software installed with any security patches that Debian might have
released.

> <snip>
> I'd presumably need to install a kernel
> for the Geode CPU though wouldn't I?  I could knock off the 25 quid for
> the modem then...

I have mine running of a stock 386 kernel install from Debian.  As
"uname -m" reports the machine as being a i586 maybe I could go for a
better kernel build - I've just never bothered.

Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060811/3369d002/attachment.pgp 


More information about the Sussex mailing list