On Thu, 2004-07-08 at 14:12, Bobby Knueven wrote: > Still a little confused on firewalls. Here's my situation (more detail > this time). > > I am assigned a block of IP addresses from the Office of Information > Tech. at our University. Along with this block of IP's come the DNS > servers I have to use and the Default Gateway. Everything else, DHCP, > File server, webserver is up to me to provide. I need to build a > firewall that will allow my current block of addresses(class B), which > are assigned to my network from a DHCP server that will is on my > network to access the net while providing a secure environment. Since I > have a substantial amount of addresses I do not need NAT to use 192's, > etc... Where my confusion comes in is the fact that I am already > assigned a default gateway on my network. Is it possible to apply a > firewall with Internet connection sharing that acts as a new default > gateway for my internal network while the firewall would still use the > Default Gateway assigned to me? How would I go about sharing that > connection without using NAT? Or should I just build a bridging > firewall? I am hesitant about a bridging firewall because it seems that > it would need to be fairly speedy to keep up with our network traffic. > Any recommendations would be appreciated. Thanks. > > Bobby Knueven > You will need to subnet your class B. You can setup a firewall connecting to the gateway the provide using a small portion of the address space they allocated to you. The remainder of the address space will be behind your firewall for all of the equipment on your network. In order to do this you will coordinate with your campus network admin so he can configure his gateways interface to match the subnet you setup. He will also put routing table entries in his routing table to direct all traffic to the address range allocated to you to your firewall. For example if you were allocated a 172.30.0.0/16 address space you can subnet 172.30.0.0/30 which means you would have two hosts available 172.30.0.1 and 172.30.0.2 which would be assigned one to your firewall and one to your campus gateway. The remaining address space can be broken up into a series of 24 bit networks such as 172.30.1.0/24, 172.30.2.0/24, etc. You can create larger subnets if you need them. Read up on subnetting and get a good understanding of it. Sounds like you will be using it a lot. :) One caveat in my example, I am assuming your routers have zero subnet enabled. If not you will need to use 172.30.0.4/30 which would have 172.30.0.5 and 172.30.0.6 as valid hosts. -- Scot L. Harris webid@xxxxxxxxxx The decision doesn't have to be logical; it was unanimous.
