Roberto Pedriali writes:
>
> With "illegal" addresses on internal network I will come out in a situation
> where I have the same address on both network (internal/external) of the
> firewall: the sw running on the firewall has to make routing decision
> based on the direction of the connection.....
>
> By the way this is a real problem that I am also facing just now, so any
> suggestion or pointer to a solution will be very appreciate.
Roberto,
I understand the problem! (I've got it too, but don't tell anyone ;-).
I'm trying to connect a large (10,000 node) network using nearly
every registered Class B address there is(!) to the Internet. However,
all is not lost ... Simon explained the (potential) workaround below.
I'm looking at this as an intermediate solution as I persaude our
networking 'gurus' to dig themselves out of a hole by renumbering
the network.
As Simon describes, a dual proxy firewall configuration can be
used to separate the routing problem into two halves; the inside
firewall defaults inwards, the outside firewall defaults outwards.
Neat eh ?
All,
Simon implies that ftp needs to be handled carefully, true; but has
anyone done this ? Or, as mjr of TIS suggested to me, why not do
all ftp's through an http-gw ? (I'm not sure how this would work,
can anyone explain ?)
And finally, is anyone running a dual firewall config like this ?
Especially using the TIS Toolkit or Gauntlet ? I'd really like to
know it worked and was secure.
Ian.
------------------------------------------------------------------------------
Ian Marr Wingrove, 10 St Georges Road, Sevenoaks, KENT, TN13 3ND, UK
im @
finsbury .
co .
uk +44-732-453-577
------------------------------------------------------------------------------
Subject: Re: Address translation
Date: Fri, 10 Feb 1995 21:54:37 +1100
From: "Simon J. Gerraty" <sjg @
zen .
void .
oz .
au>
> > I need to know if there is some firewall software for unix that over
> > the firewall stuff do some addr translation for me.
>
> Maybe ... but believe me, you *DON'T* want to do it. Bit the bullet
> and renumber your network; if you can't get enough registered
> addresses then use some from the ranged reserved in RFC1597. That
An alternative is a two stage firewall as described by Bellovin &
Cheswick...
Ie.
(inside nets) == [in] ------ [choke] ------ [out] == (internet)
| |
[inside] [outside]
As long as "inside" and "outside" are connected to valid nets or
subnets of a valid net _and_ you run totally separate DNS on the
inside and outside, your internal illegal nets are taken care of.
Ie. the internet can only talk to "outside" and "outside" only knows
about "inside" and the internet both of which are all valid
addresses.
The cost, is an extra router and set of bastions (inside may represent
a large number of bastions...).
The advantage is you don't have to touch your internal net.
Also, you can have _very_ simple routing, "outside" defalults to
"out", and "inside" defaults to "in" nets.
Except for the ftp-gw which must be split - as described by Bellovin &
Cheswick, all the TIS fwtk proxies can be used.
Any extra security from setting up "choke" appropriately is a bonus
:-)
--sjg
Follow-Ups:
References:
|
|
