Hello all...
At work, we just had an ISP change and consequently a network IP range
change. For the old setup, we had a full class C network with a
firewall router as the gateway for both our private 192. network and
our public network. Now, we have a /25 (128 IPs) and the ISP has
installed a router in place of ours, so our private network still uses
the linux firewall router we had before, but our public network's
gateway is the new, unfirewalled ISP provided router (I hope that's
clear, there.)
before:
2/-(nat)-(private network)
(internet)--1(our linux router)
0\-(public network)
after:
/-1(our linux router)2-(priv.net)
(internet)--(ISP router)-|switch|
\\\-(public network)
(the numbers at connection points are ethX's)
I was thinking about how to still keep both the public network and
private network firewalled with the new setup, and it seems that
enabling bridging in the linux router and setting up a bridging
firewall would be a viable solution... especially since we're left
with eth0 unused at the moment in the router.
So what I'm thinkin' is this:
///-(public network)
(internet)--(ISP router)--1(linux router)2-|switch|
0\
\-(priv.net)
where eth1 and eth2 are bound into one bridge interface. Supposedly,
iptables would still see the packets being forwarded across the bridge
and be able to do policy on them... just not exactly sure where...
Well, I'm pretty optimistic about this, and I think I'm gonna try
it. The kernel in the linux router has been recomplied with bridging
enabled and the userspace bridge tools have been installed. I guess
I'll try it unfirewalled first to see if the bridge even holds up,
then start adding some policies and see what happens.
So... if any network gurus have some comments (like "that's insane!")
then feel free to speak up, if not then I'll post the detailed results
later as maybe they could be useful.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:00:31 EDT