[fw-wiz] SunScreen stealth interfaces and DHCP

From: Sebastian Birnbach (birnbacs_at_web.de)
Date: 02/25/05

  • Next message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 25 Feb 2005 15:30:06 +0100

    Hi all,

    I have been choking on this problem for some time now, maybe you can
    help me out.

    In my home office, I am using a Sparc Station for firewall and NAT, and
    it talks to a DSL modem. To increase security, I want to migrate from
    IPF to SunScreen and use it in stealth mode /between modem and PPPoE
    interface/, before it does NAT on different interfaces:

       DSL modem
          |
          |
         hme2 (stealth mode)
         hme2 (stealth mode)
          |
          x (crossover cable)
          |
         hme0 (PPPoE, dynamic address)
         hme1 (private fixed IP)
          |
    --|--|-|-|--| to rest of internal network

    I figure that double-using SunScreen is legal, since all packets that
    pass through the stealth mode interfaces enter through a physical
    interface, and an IP packet is an IP packet. Thanks to Valerie Bubb's
    posting I now understand how to configure NAT on a dynamic IP address,
    no problem :)

    So here comes the problem: to configure the stealth interfaces, I must
    know which IP subnet it lives in, and give this information in the
    'screen' definition as parameter STEALTH_NET. But with DHCP I don't know
    the network at configuration time. Any chance for a dynamic definition?
    Hmm, alternatively if there was a way to have stealth interfaces bridge
    different networks, I might use that. But how could I configure this,
    and what would be a good value for STEALTH_NET?

    Please note that I don't want to do the stealth filtering /after/ the
    PPPoE, because by that time the packets are already inside the kernel.

    Thanks a lot

            Sebastian
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: David Lang: "Re: [fw-wiz] Username password VS hardware token plus PIN"