On Thu, 2004-07-08 at 14:39, Matt Morgan wrote: > On 07/08/2004 02:12 PM, Bobby Knueven wrote: > > > Still a little confused on firewalls. Here's my situation (more detail > > this time). > > > > I am assigned a block of IP addresses from the Office of Information > > Tech. at our University. Along with this block of IP's come the DNS > > servers I have to use and the Default Gateway. Everything else, DHCP, > > File server, webserver is up to me to provide. I need to build a > > firewall that will allow my current block of addresses(class B), which > > are assigned to my network from a DHCP server that will is on my > > network to access the net while providing a secure environment. Since > > I have a substantial amount of addresses I do not need NAT to use > > 192's, etc... Where my confusion comes in is the fact that I am > > already assigned a default gateway on my network. Is it possible to > > apply a firewall with Internet connection sharing that acts as a new > > default gateway for my internal network while the firewall would still > > use the Default Gateway assigned to me? How would I go about sharing > > that connection without using NAT? Or should I just build a bridging > > firewall? I am hesitant about a bridging firewall because it seems > > that it would need to be fairly speedy to keep up with our network > > traffic. Any recommendations would be appreciated. Thanks. > > I realize this is not the answer you're seeking, exactly, but it seems > that if you just used NAT everything would be a lot simpler. There's > really almost no reason not to use NAT, if you have a reasonably good > firewall (and iptables qualifies) and it's kind of easier to understand > what's going on. And, pretty much everyone runs out of IP addresses > faster than they expect to--NAT will protect you from that. > > With NAT, the internal address of the firewall is the gateway address > for the internal workstations. So the answer to your question about the > default gateway is "yes." > > So my advice is, just use NAT. > > As a side note, when you respond to messages on this list, please post > your messages at the bottom of the previous message. Although it seems > strange at first to people who are used to doing it the other way, it > makes it a lot easier for new people to pick up the discussion in the > middle. That happens a lot on a list of this volume. > > --Matt I would second the suggestion of using NAT for all the reasons given plus it would also make the firewall easier to configure and therefore less prone to mistakes and holes. -- jludwig <wralphie@xxxxxxxxxxx>
