G'Day All,
I am in the process of setting up Firewall-1 on a Sun Ultra 1, running
Solaris 2.5.1. Being a newbie in the area of firewalls, routers, and
gateways, I have been doing quite a lot af reading. One thing that I
cannot find in the setup for the firewall, is how to set up my
multi-homed host as a gateway. I need this so that my *ix boxes on the
inside of my network (or any that accept RIP packets) will recieve a
correct RIP packet from my gateway (firewall).
I am in the process of getting a separate, very small, class C address
toconnect my firewall/gateway to the router supplied by our ISP.
Here is a simple diagram of what we have now and what we will have
after the firewall goes in.
----------- ------ ---------------
| my.net |------------|router|---------------| internet |
----------- ------ ---------------
Here, my side of the router has an address of x.y.1.1, but this is inside
my domain space. I have a class B domain so my subnet mask is
255.255.0.0 and my default gateway is x.y.1.1. Now, the majority of my
network is made up of PC's and MAC's, so I need the gateway
to stay the same internally (x.y.1.1).
After I put in the firewall, I will have
---------- ---------- ------ ----------
| my.net |---------| firewall |-------|router|-------| internet |
---------- ---------- ------ ----------
Here, I am going to move the x.y.1.1 to the inside of my firewall, and get
another small address space (4 addresses) to go between my
firewall and the router. For simplicity sake, say that these addresses
are 200.200.1.1 and 200.200.1.2 on the outside of the firewall and
my side of the router, respectively. Thus, I will have 200.200.1.1 on le0
and x.y.1.1 on qe0.
The questions that I need answered are:
1. I am assuming that if firewall-1 is turned off, that my firewall/gateway
machine will need to act as a gateway that passes all on the router.
Is this in fact the case?
2. As far as routes go, from what I have read, using static routes
seems to be the way that I need to proceed. So, I have made a
/etc/gateways file that reads:
norip le0
net 0.0.0.0 gateway 200.200.1.1 metric 0 passive
noripin qe0
net x.y.0.0 gateway x.y.1.1 metric 0 passive
I have also thought that I might need to add a route to the router as
follows:
host 200.200.1.2 gateway 200.200.1.1 metric 0 passive
Is this the best way to define my gateway so that my internal
machines that respond to RIPs will get the correct info?
3. From my reading, it seems to me that I only need to run interior routing
and no exterior routing. Thus I will only need to run routed and not
gated (with EGP), while the exterior routing will be taken care of by my
ISP. Is this true?
Thanks for any help,
Mark.
Mark Thompson
Manager of Network Services
Computing Services
The University of Lethbridge
Lethbridge, AB, Canada
(403) 329-2689
thommd @
hg .
uleth .
ca
http://home.uleth.ca/~thommd
|
|
