Solved

Ipfwadm problem

Posted on 1997-08-05
2
202 Views
Last Modified: 2010-03-18
Here is the setup
                        FIREWALL
192.204.106.x--192.204.106.3-192.204.106.2--192.204.106.1--
INTERNAL NET     INTERNAL     EXTERNAL        Router--
NETWORK (.2-.254)  NIC          NIC            INTERNET
                   ETH0         ETH1            EXTERNAL        
  I messed around with the routing files and still have not been able to get the firewall to work properly.
 
Note--Everything was done from the firewall itself

  Without even touching the routing tables, I can successfully ping eth0 but not eth1.  I can also telnet out to the internet (external stuff)
  the routing table looks like this:
Destination   GW     Genmask    Flags MSS  Window Use Iface
192.204.106.0   *  255.255.255.0   U 1500   0   36 eth0
127.0.0.0       *  255.0.0.0       U 3584   0    2 lo
default   192.204.106.1   *       UG 1500   0  143 eth0
when I do route add -net 192.204.106.0 eth1

Destination  Gateway  Genmask  Flags MSS  Window Use Iface
192.204.106.0   *   255.255.255.0 U  1500   0    36 eth1
192.204.106.0   *   255.255.255.0 U  1500   0    36 eth0
127.0.0.0       *   255.0.0.0     U  3584   0     2 lo
default   192.204.106.1   *      UG  1500   0   143 eth0

 I can now successfully ping eth1 (192.204.106.3) but not eth0 (192.204.106.2).  I can still telnet out to the rest of the world which is connected to eth0.
  Am I missing something in the routing table?
   
  Is it because I am using 192.204.106.3 and .2 for the two nics?  do I have
  to use separate?
   
  I haven't set up any rules for ipfwadm yet.  Is that the problem?
  Do I need to set up forwarding rules in order for it to work?
   
  Any help would be greatly appreciated!
0
Comment
Question by:root2
2 Comments
 
LVL 1

Expert Comment

by:bcook
ID: 1585851
The problem is that you have both NICs set up on the same sub-net.

What are you trying to acheive ?
Why do you have two NICs ?

If you have the firewall between two ethernets, then those machines must have two different IP address spaces.

(You can use 192.168.x.x for the private address space if
you use Masquerading on the linux firewall)

You realy need to do a diagram of your network topology for
anybody to understand this.

(Also you should have a lot more points for the question)

0
 
LVL 3

Accepted Solution

by:
sauron earned 10 total points
ID: 1585852
You have missed a few important points.

Firstly, your IP addressing is wrong. You have three networks to consider here. The Internet is one, but you can rest assured that that is configured right :-). So, you are left with two logical networks, a small one connecting the NIC with address 192.204.106.2 to the internal interface of your router. Your other network connects the NIC with address 192.204.106.3 to the rest of the hosts on your network.

It is important for you to realise that your firewall is, itself a router. Ergo, you *must* recompile it's kernel, and enable IP forwarding. Without this, nothing will work. Second, you need to subnet your class C address properly. Assuming you have a full class C address, you need to split this. As you have very few interfaces (i.e. 2) on the 'external' side of the firewall, you want to use the smallest amount of your address space for subnetting. This is 1 bit. So, you end up with two subnets, like so:-

Network Address    Broadcast Address   Valid Host addresses
---------------    -----------------   --------------------
192.204.106.0      192.204.106.127     192.204.106.1 - .126
192.204.106.128    192.204.106.255     192.204.106.129 - .254

Then assign addresses from one subnet to all your hosts, and
change their subnet masks to 255.255.255.128, and addresses from the other subnet to your router's internal interface, and the 'router facing' interface on your firewall machine. You also need to change the subnet addresses on these two bits of kit.

Then, if the router facing NIC on the firewall is eth1, you need to set the default gateway on the firewall to be the IP address of the router (192.204.106.1), and the gateway device to eth1. You can find this in /etc/sysconfig/network

All your other hosts must be configured with the IP address of the eth0 interface as their default gateway.

When you've done all that, your routing should be up and running. Then, you can start to mess around with firewall rules.

You might also consider upping the points value on this question.....
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now