Great Circle Associates Firewalls
(April 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: firewalls and routing
From: F . Wetzels @ amc . uva . nl (Frank Wetzels)
Date: Wed, 05 Apr 1995 10:52:17 +0200
To: firewalls @ GreatCircle . com 
fpmw> Hi, I have a pretty basic question.  I'll be setting up a Class-C network
fpmw> with a firewall and I'm unsure about sub-netting and routing.  It would
fpmw> look something like this:
fpmw> 
fpmw>                             Internet
fpmw>                                |
fpmw>                         _______|______
fpmw>                         |   router   |
fpmw>                         | 192.x.y.1  |
fpmw>                         |____________|
fpmw>                               |
fpmw>                               |    public net - webservers, etc
fpmw>                _______________|________________
fpmw>                |                              |
fpmw>          ______|______                    ____|_______
fpmw>          | 192.x.y.2 |                    | WWW       |
fpmw>          | firewall  |                    | 192.x.y.3 |
fpmw>          | 192.x.y.4 |                    |___________|
fpmw>          |___________|
fpmw>                |            private net
fpmw>            ____|_________________________
fpmw>            |                            |
fpmw>      ______|_____                  _____|_____
fpmw>      | 192.x.y.5 |                | 192.x.y.6 |
fpmw>      |___________|                |___________|
fpmw> 
fpmw> 
fpmw> My question is how do I number the network for this setup and how
fpmw> is routing setup?  I assume the router knows nothing about subnets
fpmw> and dumps all trafic for 192.x.y.0 onto the lan.  Don't I have to 
fpmw> subnet in order to split the network into 2 sections like this?
fpmw> If I subnet, isn't 192.x.y.1 no longer a good address? (it is in the
fpmw> all zero subnet)
fpmw> If I don't subnet, will I have to set up a static route for each 
fpmw> machine on the public net?

If your firewall has two interfaces then you should give them IP-addresses
from two different subnets. So either you subnet your class C net or use
another class C net as the private net. Your router should know about all
your subnets. The result is that the public net and the private net are two
different subnets with a firewall between them.

I have a general question on this configuration: The public machines, are these
only to be reached from the internet (and/and not) from the private net?

Then what about putting *these* machines in a screened subnet? It's against
the filosophy of having a firewall.
On the otherhand these public machines can be regarded as internet machines
and should be treated that way.

So there are pro's and con's. Any opinions?

Frank

-------------------------------------------------
F.P.M. Wetzels                           ADIV/CNS
D01-329                        wetzels @
 amc .
 uva .
 nl
meibergdreef 15              Voice +31 20 5662917
1105 AZ  Amsterdam-ZO          Fax +31 20 6973181
-------------------------------------------------
Indexed By Date Previous: ISDN
From: Paul Crossley <paul @ toploguk . co . uk>
Next: firewalls and routing
From: Paul Crossley <paul @ toploguk . co . uk>
Indexed By Thread Previous: firewalls and routing
From: Steve Crumley <crumley @ trinet . com>
Next: firewalls and routing
From: Paul Crossley <paul @ toploguk . co . uk>
Google
 
Search Internet Search www.greatcircle.com