> From: woycke @
org (Daniel W. Woycke)
> Date: Thu, 6 Oct 1994 08:50:59 -0400
> Subject: Re: firewall perimeter networks wasting addresses?
> At 9:41 AM 10/5/94 -0600, Brent McClure wrote:
> >In reviewing the notes from a workshop on firewalls I found a specific
> >description of an "ideal" firewall setup that involves setting up
> >a perimeter network that has its own class C address. The statement was
> >made that it is "easy to get another class C address from the NIC for
> >your perimeter net".
> >I have been informed by our internet provider that he's not that thrilled
> >to give up one of the addresses from his block for this purpose, and I
> >suspect that the NIC isn't glad to see more addresses gobbled up in this way.
> >Yes, I know there are millions left, but at one point we probably thought there
> >were though class B addresses too.
> >Since it appears that a single dual-homed host as a firewall has limitations,
> >then isn't there a solution using a perimeter network that can be implemented
> >where the perimeter network is simply a subnet of your current address rather
> >than having to ask for another address?
> >thanks, Brent
One of the methods that I use when building firewalls, is for the client to get one
officially registered class C address, which is used for the public side of the
firewall, including web servers and router, and then use illegal class B and C network
numbers internally. This can be done, as the Firewall totally isolates the internal
numbers from the Internet. Rather than wasting an extra class C address, this saves
on addresses. I have at least 2 customers that would have had to register for class
B addresses and renumber their whole internal networks if we had not have done this.
All you need to do is use one of the special network numbers that has been set aside
for testing internally, and use your registered class C for the external network.
Internet Security Specialist