[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A better Linux based firewall installation?
- To: Alex Shnitman <alexsh(at-nospam)hectic.net>
- Subject: Re: A better Linux based firewall installation?
- From: Gilad Ben-Yossef <gilad(at-nospam)benyossef.com>
- Date: Wed, 29 Nov 2000 16:26:57 +0200
- CC: Linux-IL mailing list <linux-il(at-nospam)cs.huji.ac.il>
- Organization: Great Illuminated Seers of Bavaria
- References: <Pine.LNX.3.96.1001128214741.951A-100000@localhost> <3A24DF78.3030203@benyossef.com> <20001129144157.D12306@hectic.net>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
- User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.12-20 i686; en-US; m18) Gecko/20001107 Netscape6/6.0
Alex Shnitman wrote:
> Hi, Gilad!
>
> On Wed, Nov 29, 2000 at 12:50:32PM +0200, you wrote the following:
>
>
>> The second is to NOT configure your firewall as a router, but rather as
>> a layer 2 bridge with IP firwalling rules(*2) and not give it an IP at
>> all (bridges don't need to have an IP to function). Not having an IP
>> makes overtaking the machine, hm... difficult ;-)
>
>
> If the machine doesn't have an IP address, what default route do you
> set up on the other machines on the network so that they can go out?
The IP of your router. The hidden assumption here is that we are talking
about the usual office LAN, connected via Frame Relay/ISDN/DSL/SIfranet
or some such to a router on your premises (usually supplied by the ISP).
If you are trying to to set up an El Cheapo PPP+dialup account+NAT sort
of LAN you'll have to have a dedicated machine to do the PPP and NAT and
basically be that router.
The setting I described doesn't save you from the need to have a router,
it just puts the responsibility of peripheral protection (Firewalling)
on something else, that is (almost) invisble from an IP network point of
view.
--
Gilad Ben-Yossef <gilad@benyossef.com>
http://benyossef.com :: +972(54)756701
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il