[NCLUG] Re: firewall nic config

William Dan Terry william.terry at knotworks.com
Sat Apr 27 11:46:08 MDT 2002


> Message: 2
> Date: Fri, 26 Apr 2002 02:54:58 +0100
> From: Matthew Wilcox <willy at debian.org>
> To: nclug at nclug.org
> Subject: Re: [NCLUG] firewall nic config
> Reply-To: nclug at nclug.org
> 
> On Thu, Apr 25, 2002 at 07:37:44PM -0600, William Dan Terry wrote:
> > On a firewall with one ethernet card for connecting to the LAN and one connecting to the Net is there a way to set the netmask or something else to split a class C so that most of the addresses are on the inside and only a small number are on the outside? If not, is there any reason I couldn't add 2 more NICs and at least set the netmasks for the 4 NICs each have a quarter of the class C and connect three to an inside hub? I've never configured a firewall (ipchains) for more than 2 interfaces. Is it doable?
> 
> Could you word-wrap please?  It makes your text easier to read.

I always thought that word wrap was the responsibility of the receiving end, thus allowing the reader to optimize it for his viewer. Email doesn't have a prescribed width that I'm aware of, making the transmission of information a separate issue from the display of information. Forcing \n every so many characters just means that a wider viewer loses the benefit of width and still has to scroll just as much. I've been working under this premise for 17 years. Am I missing something?

> Really, this is not a good idea, and if the hosts inside aren't reachable
> from the outside at all, use the private address ranges (192.168/16,
> 172.16/12, 10/8).

Some hosts inside do need to be reachable, hence the class C. However, the traffic they deal with is small enough that having them behind a firewall wouldn't change the firewall load significantly. So the protection they get from the firewal is worth it to me instead of having them in the DMZ.

But splitting the class C into 2 subnets, 1 inside and 1 outside is a waste since I have next to nothing that I want outside. I've never had to deal with subnets before so I don't know how flexible you can be in defining them and if there are ways that I don't know about to set them up differently.

Peace, William

___________W__i__l__l__i__a__m_____D__a__n_____T__e__r__r__y___________
How do we acquire wisdom along with all these shiny things? -David Brin

    PGP public key:     http://www.knotworks.com/wdt_pgp_pubkey.asc
    fingerprint:   DC 80 E4 18 E2 CB AC F4  8C 59 9B 9C BB A2 D7 4B



More information about the NCLUG mailing list