>I am trying to setup a three-host firewall, with Firewall-1 ver 3.0 on
>it. The machine has 3 interfaces, one for the outside (on the same
>network as the ISP router), one for the inside, and one for the DMZ. The
>outside interface is a class B address given to us by our ISP. The
>inside address belongs to a class B network, subnetted to a class
>C (255.255.255.0). The DMZ network address is also part of the class B
>The internal address is on a wire which goes to our enterprise router,
>which is brodacasting RIP, all the time.
>Couple of questions:
> 1) How do you configure routing for this setup?
See steps below
> 2) Do you turn on in.routed and/or in.rdisc? With what options?
You don't on a Internet firewall if you can avoid it, you might on an Intranet
Firewall but that varies by opinion and circumstances.
> 3) Do you turn on ip_forwarding?
When you install Firewall-1 V3.0 it will add the necessary lines to startup
scripts (See /etc/rc2.d/S69inet) to prevent IP forwarding. NT version must have
IP forwarding set on in the routing dialog box.
> 4) Any idea about the netmasks
> 5) RIP?
No definitely not.
> 6) Static or dynamic routes?
Definitely static routes.
>I would appreciate any help you can give me, pointers to on-line
>information, etc. Thanks in advance.
I had to write the following up for something else so here's some help.
Assumptions for this example:
ISP's network address and subnet mask they gave you
This is a reasonable subnet mask coming from an ISP.
Allows you to have 16 addresses, 14 physically useable, for example if they
you could use
184.108.40.206 to 220.127.116.11
18.104.22.168 is the network address
22.214.171.124 is the broadcast address
Your network Class B is 172.16.0.0 one of the RFC1918 networks
Outside Inferface of Firewall: gatekeeper 126.96.36.199
Inside Interface of Firewall: fw1-gw 172.16.1.254
Dmz-side Interface of Firewall: dmz-gw 172.16.2.254
Enterperise router: ent-gw 172.16.1.253
Step 1. Edit the /etc/hostname.[le0 | le1 | le2] files, create if necessary,
may be hostname.[le0 | qe0 | qe1 | qe2 | qe3] if you have a a quad card.
Edit each file, it should contain the hostname for each interface.
Step 2. Edit your /etc/hosts file and add the hostnames and IP addresses
188.8.131.52 gatekeeper.yourdomain.com gatekeeper
Step 3. Edit your /etc/netmasks file and add the networks and their subnet
# ISP network address and subnet mask, if this is not here then Solaris
# will assume the whole of class B 184.108.40.206 is on le0 and you'll
# never be able to connect to the ISPs other customers.
# Treat 172.16.0.0 and it's subnets as class C networks
Step 4. Create a startup file that configures the static routes required by
the firewall. For example, /etc/rc3.d/S80fw1-routes which contains the
static routes and proxy arps required by the address translation. It's in the
rc3.d dir because proxy arps don't take affect if the file is in the rc2.d
# Set silly host routes to ensure packets leave from the correct
# inteface to accomodate address translation
# Assummes 220.127.116.11 is your external SMTP host address that you
# advertise to the world.
# Assummes 172.16.1.10 is your internal SMTP host
route add host 18.104.22.168 172.16.1.10 1
# Set the proxy arps, note the IP address 22.214.171.124 is not assigned
# to any physical interface. The MAC address is that of the outside
# inferface of the firewall. In this case, Solaris, all interfaces use
# the same MAC address. (different for NT installs).
arp -s 126.96.36.199 8:0:23:7b:e3:4 pub
# Configure the routes to the rest of 172.16.0.0
route add net 172.16.3.0 172.16.1.253 1
route add net 172.16.4.0 172.16.1.253 1
route add net 172.16.5.0 172.16.1.253 1
route add net 172.16.6.0 172.16.1.253 1
route add net 172.16.7.0 172.16.1.253 1
route add net 172.16.254.0 172.16.1.253 1
No doubt you won't have used all of the class C subnets of 172.16.0.0 but if
you do the table is large, it's X-large if you subnetted the 10.0.0.0
network as class C.
Personally I would use 192.168.1.0 as the firewall inside network and
192.168.2.0 as the dmz network and then have a single route to your enterprise
router for the 172.16.0.0 network. It only requires a single route but that
depends on what you have on that network and if you have spare ports on your
router or altrernatively can configure virtual IP address for the router ports.
The documentation in Version 3 mentions how to get address translation and
routing working a lot better than 2.1 so I've left the proxy arps and host
routes out as that really requires diagrams with the explanation.
Well that should get you started, I don't I've forgotten anything but...until
it works you never know.