>Hey,
>I am trying to setup a three-host firewall, with Firewall-1 ver 3.0 on
>it. The machine has 3 interfaces, one for the outside (on the same
>network as the ISP router), one for the inside, and one for the DMZ. The
>outside interface is a class B address given to us by our ISP. The
>inside address belongs to a class B network, subnetted to a class
>C (255.255.255.0). The DMZ network address is also part of the class B
>network.
>
>The internal address is on a wire which goes to our enterprise router,
>which is brodacasting RIP, all the time.
>
>Couple of questions:
> 1) How do you configure routing for this setup?
See steps below
> 2) Do you turn on in.routed and/or in.rdisc? With what options?
You don't on a Internet firewall if you can avoid it, you might on an Intranet
Firewall but that varies by opinion and circumstances.
> 3) Do you turn on ip_forwarding?
When you install Firewall-1 V3.0 it will add the necessary lines to startup
scripts (See /etc/rc2.d/S69inet) to prevent IP forwarding. NT version must have
IP forwarding set on in the routing dialog box.
> 4) Any idea about the netmasks
See below
> 5) RIP?
No definitely not.
> 6) Static or dynamic routes?
Definitely static routes.
>I would appreciate any help you can give me, pointers to on-line
>information, etc. Thanks in advance.
>Dave.
I had to write the following up for something else so here's some help.
-----------------
Assumptions for this example:
ISP's network address and subnet mask they gave you
158.145.0.0 255.255.255.240
This is a reasonable subnet mask coming from an ISP.
Allows you to have 16 addresses, 14 physically useable, for example if they
gave you
158.145.1.0
you could use
158.145.1.1 to 158.145.1.14
158.145.1.0 is the network address
158.145.1.15 is the broadcast address
Your network Class B is 172.16.0.0 one of the RFC1918 networks
Outside Inferface of Firewall: gatekeeper 158.145.1.1
Inside Interface of Firewall: fw1-gw 172.16.1.254
Dmz-side Interface of Firewall: dmz-gw 172.16.2.254
Enterperise router: ent-gw 172.16.1.253
---------------------
Step 1. Edit the /etc/hostname.[le0 | le1 | le2] files, create if necessary,
may be hostname.[le0 | qe0 | qe1 | qe2 | qe3] if you have a a quad card.
Edit each file, it should contain the hostname for each interface.
/etc/hostname.le0
gatekeeper
/etc/hostname.le1
fw1-gw
/etc/hostname.le2
dmz-gw
---------------------
Step 2. Edit your /etc/hosts file and add the hostnames and IP addresses
158.145.1.1 gatekeeper.yourdomain.com gatekeeper
172.16.1.254 fw1-gw
172.16.2.254 dmz-gw
---------------------
Step 3. Edit your /etc/netmasks file and add the networks and their subnet
masks
# ISP network address and subnet mask, if this is not here then Solaris
# will assume the whole of class B 158.145.0.0 is on le0 and you'll
# never be able to connect to the ISPs other customers.
158.145 255.255.255.240
# Treat 172.16.0.0 and it's subnets as class C networks
172.16 255.255.255.0
---------------------
Step 4. Create a startup file that configures the static routes required by
the firewall. For example, /etc/rc3.d/S80fw1-routes which contains the
static routes and proxy arps required by the address translation. It's in the
rc3.d dir because proxy arps don't take affect if the file is in the rc2.d
directory.
# Set silly host routes to ensure packets leave from the correct
# inteface to accomodate address translation
# Assummes 158.145.1.2 is your external SMTP host address that you
# advertise to the world.
# Assummes 172.16.1.10 is your internal SMTP host
#
route add host 158.145.1.2 172.16.1.10 1
# Set the proxy arps, note the IP address 158.145.1.2 is not assigned
# to any physical interface. The MAC address is that of the outside
# inferface of the firewall. In this case, Solaris, all interfaces use
# the same MAC address. (different for NT installs).
arp -s 158.145.1.2 8:0:23:7b:e3:4 pub
# Configure the routes to the rest of 172.16.0.0
#
route add net 172.16.3.0 172.16.1.253 1
route add net 172.16.4.0 172.16.1.253 1
route add net 172.16.5.0 172.16.1.253 1
route add net 172.16.6.0 172.16.1.253 1
route add net 172.16.7.0 172.16.1.253 1
....
route add net 172.16.254.0 172.16.1.253 1
No doubt you won't have used all of the class C subnets of 172.16.0.0 but if
you do the table is large, it's X-large if you subnetted the 10.0.0.0
network as class C.
Personally I would use 192.168.1.0 as the firewall inside network and
192.168.2.0 as the dmz network and then have a single route to your enterprise
router for the 172.16.0.0 network. It only requires a single route but that
depends on what you have on that network and if you have spare ports on your
router or altrernatively can configure virtual IP address for the router ports.
The documentation in Version 3 mentions how to get address translation and
routing working a lot better than 2.1 so I've left the proxy arps and host
routes out as that really requires diagrams with the explanation.
Well that should get you started, I don't I've forgotten anything but...until
it works you never know.
----------------------------
Neil Mackie
References:
|
|
