Re: Firewall

Larry Chin (larry@ca.cch.com)
Thu, 23 Mar 1995 05:09:07 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rens Troost: "Re: Intro and questions (fwd)"
Previous message: Chris A. Petro: "Re: Intro and questions (fwd)"

Hi, 

One small thing, I don't know what kind of response you will get from this
list WRT to your question, but I think you might find the firewall mailing 
list at greatcircle.com a bit more helpful.

That having being said, I think your diagram should actually look like:

	T1/Internet--- public server ---- firewall -------corporate net

The firewall itself ideally should consist of an external router, bastion 
host and internal router.

The bastion host would run your various proxies etc., the internal router 
would have your packet filtering and the external router while it could also
have packet filters to prevent spoofing, many people don't install any 
filters on this machine.

> I am more than just a little ignorant of how firewalls work, but from my 
> understanding, packets from the internal network are sent to the firewall 
> first, and once they are outside the network, they look as if they 
> originated on the firewall. Inbound packets from the external network, 
> are addressed to the firewall. Our mail and other 
> services would reside on a publicly accessable server.

  Basically correct. Your routing should be set up such that all traffic 
  to/from the internal net and/or Internet *must* go through the firewall 
  bastion host ( in the above configuration ). As such the packets would look
  as if they originated from the bastion. As to mail and other services
  ( I'm not too sure what these other services are ), they can reside on the
  internal net, providing that the bastion is set up to run some sort of
  proxying service that will forward mail to the internal net. This of 
  course implies correct set up your DNS ( MX records ) and sendmail etc.

> I am familiar with SCO, Solaris and Linux. I run Linux 1.1.95 and 1.2.1 
> which have IP firewalling support within the kernel. What software can 
> I use to utilize that support?
 
  You could try the TIS FWTK ( or the commercial version Gauntlet ) to handle
  your proxying on the bastion host ( and no, I am not connected to TIS, 
  I have just used their stuff and find it to be just great, so I recommend 
  it to others ). The only caveat with TIS FWTK is that it currently runs on
  SunOs 4.1.3 although some folks have ported it to Solaris.


Hope this helps, let me know if anything isn't clear

===========================================================================
Larry Chin {Larry_Chin@ca.cch.com}	System/Network Administrator
CCH Canadian Ltd.			(416) 441-4001 ext. 349	
===========================================================================

Next message: Rens Troost: "Re: Intro and questions (fwd)"
Previous message: Chris A. Petro: "Re: Intro and questions (fwd)"