Re: proxy vs. firewall

Chaiya Intasoie (chaiya@rs.mahidol.ac.th)
Mon, 14 Sep 1998 06:29:16 +0700 (ICT)

On Sat, 12 Sep 1998, root wrote:

> Dear Linux-netters,
>
> I'm not an expert networker, and I would apprerciate
> any understanding you can share with me about proxy.
>
> Here is my present set up.
>
> 1.) My i686 linux box has two ethernet cards that are
> functioning. The first is connected to the outside
> world which I am writing this e-mail message to.
> It is was assigned 24.1.90.21 by my ISP service.
>
> The second card is on eth1 and I can ping it and it
> responds fine. I assigned a dummy IP address to it
> called "192.9.212.1". It forms a "subnet" with my
> i486 box.

Those above are not "dummy IP" they are __real__ IP. You should switch to
atnother "private IP" such 10.x.x.x (class A) or 192.168.x.x (class C)
instead of using the __real IP__ which will cause you and many folk later.

>
> 2.) My i486 Linux box has its own functioning ethernet
> card with dummy IP number "192.9.212.3".

See above!

>
> As you can see I have managed to construct a subnet
> that functions nicely. I have my two boxes hard
> disks NFS monted on each other. Security wise,
> I think the subnet is isolated.

Your internal networking is very nicely! Yep, if you switch to "private
IP" address you will be happier more than this!

>
> But what I would like to have is my subnet be able
> to communicate to the outside world. I would like
> my i486 to talk to the second i686 card but then
> "jump" to the first card and go to the outside
> world. I'm reading Firewall-HOWTO-8, and I think
> what I want is a *proxy* and not a firewall, but
> I'm not sure. If so, which software should I
> download and figure out? SOCKS? TIS?

Nob, You need only IP masqurade to do this see see IP-MASQURADING-HOWTO in
the mini subdir.

>
> Or can I avoid the proxy altogether and set
> something in the *.conf `files that will simply
> pass thru the packets from the first to second
> card?

What you will be using is the program call "ipfwadm" and just three lines
of command will do exacly what you need.

Here is my example of basic IP masqurading rules.

#This is the secipt to start the IP_MASQRADE....
#
ipfwadm -F -p deny
ipfwadm -F -a m -S 10.0.0.0/8 -D 0.0.0.0/0
ipfwadm -F -a m -S 10.0.0.0/32 -D 0.0.0.0/0
# End
#

Don't forget turn to the private ip address instead of using real IP
address.

>
> Thank you for you help,
>
> Joe

Regards,
Chaiya

>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.rutgers.edu
>

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu