Clueless Network Prob

[Matthew Carpenter]

So you want to share the same WIRE for both the Internet connection and
the protected network?

This is generally considered less than optimum for security, since a
hacker need only compromise the router to have complete access to your
protected network.  However, if you ARE going to attempt this, you can do
this in a couple different ways.  The differences are only in whether or
not you use two interfaces.  Using one interface and subinterface(s) -
which are basically only additional ip addresses for the same NIC.  You
can have two interfaces connected to the same WIRE, but that doesn't mean
they are on the same subnet.  By subnet I mean IP network.  

Not wanting to assume that you know this but believing you probably do,
there are several IP ranges set aside for private use:  10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16.  Microsoft ALSO decided to add their
own range of 169.something, for Windows boxes which are configured for
DHCP but there's no DHCP server available.  If you need help subnetting IP
and would like a refresher, feel free to email me offlist and I'll explain
how best to use these ranges.  

If you want to use two NICs (network interface cards, for anyone who does
know), just set them on different IP subnets.  Assign an IP address on the
registered IP address range (the one assigned you by the ISP), and assign
a PRIVATE IP address to the other interface.  This will become the
"Default Gateway" for all the hosts on the protected network.  If you are
going to go this route and a separate hub is a problem, I would actually
use a cross-over cable to connect the firewall directly to the Internet
router and only connect the protected interface to your hub/switch.  This
is the method which I would recommend, knowing very little about your
needs.

If you are going to use the same wire (hub/vlan) for both protected and
Internet address ranges, why waste the extra NIC?  Use it in another box. 
You can "create" a subinterface for a NIC in a couple different ways. 
Manually, by typing the following as root:
 ifconfig eth0:0 10.150.14.1 netmask 255.255.255.0 broadcast 10.150.14.255
up
This will create a subinterface which lives on eth0.  The rest is
self-explanatory.  Ask if you would like further explanation.
To have this interface created and controlled like a normal interface,
most RedHat-like (RH/MDK/COL/etc..) distros will allow you to create a
file such as /etc/sysconfig/network-scripts/ifcfg-eth0:0 which will look
very similar to the ifcfg-eth0 in the same location.  Some distros allow
you to create subinterfaces in their GUI tools as well.  
Using subinterfaces will basically do the same as using two interfaces,
you'll just be limiting the amount of traffic you can send through the
box.... but who even has a 10mb connection to the Internet, much less a
100mb one?

If this is clear as mud, let me know and I can try to clean it up.  Sorry
that the formatting isn't the best for reading.

On Fri, 21 Jun 2002 14:27:59 -0500
"Michael Hipp" <mhipp at redmule.com> wrote:

> Ok. What I'm trying to accomplish (eventually) is to have one interface
> that is for the LAN where I can be less uptight about security. And a
> 2nd that will be well secured and intended to receive inbound requests
> from the big Internet. The addr of the 2nd will be in the router as the
> one to expose to the Internet (via the so-called DMZ feature).
> Everything else will be NATed.
> 
> But I don't want to use this box to route traffic from the inside LAN to
> the WAN. Clear as mud? Dumb idea?