wralphie at comcast.net
Thu Jul 8 19:55:28 UTC 2004
On Thu, 2004-07-08 at 14:39, Matt Morgan wrote:
> On 07/08/2004 02:12 PM, Bobby Knueven wrote:
> > Still a little confused on firewalls. Here's my situation (more detail
> > this time).
> > I am assigned a block of IP addresses from the Office of Information
> > Tech. at our University. Along with this block of IP's come the DNS
> > servers I have to use and the Default Gateway. Everything else, DHCP,
> > File server, webserver is up to me to provide. I need to build a
> > firewall that will allow my current block of addresses(class B), which
> > are assigned to my network from a DHCP server that will is on my
> > network to access the net while providing a secure environment. Since
> > I have a substantial amount of addresses I do not need NAT to use
> > 192's, etc... Where my confusion comes in is the fact that I am
> > already assigned a default gateway on my network. Is it possible to
> > apply a firewall with Internet connection sharing that acts as a new
> > default gateway for my internal network while the firewall would still
> > use the Default Gateway assigned to me? How would I go about sharing
> > that connection without using NAT? Or should I just build a bridging
> > firewall? I am hesitant about a bridging firewall because it seems
> > that it would need to be fairly speedy to keep up with our network
> > traffic. Any recommendations would be appreciated. Thanks.
> I realize this is not the answer you're seeking, exactly, but it seems
> that if you just used NAT everything would be a lot simpler. There's
> really almost no reason not to use NAT, if you have a reasonably good
> firewall (and iptables qualifies) and it's kind of easier to understand
> what's going on. And, pretty much everyone runs out of IP addresses
> faster than they expect to--NAT will protect you from that.
> With NAT, the internal address of the firewall is the gateway address
> for the internal workstations. So the answer to your question about the
> default gateway is "yes."
> So my advice is, just use NAT.
> As a side note, when you respond to messages on this list, please post
> your messages at the bottom of the previous message. Although it seems
> strange at first to people who are used to doing it the other way, it
> makes it a lot easier for new people to pick up the discussion in the
> middle. That happens a lot on a list of this volume.
I would second the suggestion of using NAT for all the reasons given
plus it would also make the firewall easier to configure and therefore
less prone to mistakes and holes.
jludwig <wralphie at comcast.net>
More information about the users