[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

RE: full solution to the anna univ routing problem (long)



A related question.

In this, there is talk only about having two ethernet cards for a firewall.
Is that absolutely required?
Can't we just have a linux box with one Network card, but two IP addresses
(using IP aliasing)?

If one network card will work fine, are there any disadvantages?
Specifically, is it less secure than having two network cards?

-Krishnan.
> -----Original Message-----
> From:	Dr. P. Sriram [SMTP:sriram@xxxxxxxxxxxxxxxxxx]
> Sent:	Friday, August 11, 2000 11:42 PM
> To:	ilugc@xxxxxxxxxxxxxxxxxx
> Subject:	full solution to the anna univ routing problem (long)
> 
> (this is a longish article; perhaps, someone can post it on to linux
> india? it may be of interest to a wider audience; i will let the
> linux india subscribers on ilugc decide)
> -----------------------------------------------
> 
> routing through firewalls
> author: p. sriram, iit madras
> 
> here is a complete routing solution for the single firewall setup.  though
> i prepared this as a solution for a problem posed by anna university, this
> may be of interest to many users in india and hence i am posting it here.
> this can even be read for entertainement! i have basically presented the
> routing configuration to use where a leased line connects a lan/wan
> (intranet) to the internet and a two-ethernet card firewall sits at the
> intranet/internet interface. the intranet is assumed to be full of hosts
> with reserved/private ip addresses and a few hosts that have valid
> internet ip addresses. the problem is how to set up routing so things work
> as desired.  the firewall is a ip-forwarding/filtering type.  there are
> excellent linux how-to's that address the problem, but some aspects are
> not covered fully in the how-to's. hence, i write this. i have some
> footnotes and comments in the end which may be read before the solution is
> used. i would suggest reading through the firewall howto for more details
> on the use of ipfwadm or ipchains (or firewalls in general).  actually, as
> routing problems go, this one is rather elementary (can assign as home
> work, but not good enough to be on an exam). 
> 
> disclaimer:
> ----------
> this is free advice. and remember, all my degrees are in aerospace 
> engineering and that is what i teach for a living.  so, any claims about 
> my competence in computer networking will not be admissible in a court 
> of law under the indian evidence act. many people say that advice is 
> worth only what you pay for it. that is a warped western idea, like the 
> warped western phrase 'there is no free lunch'; go to tirupati and you 
> can get free lunch - annadaanam. (i urge you to read up on how the then 
> popular annadaanam practice was eliminated during the colonial raj). i 
> am not venkatachalapathy, so i dont give free lunches; but my advice is 
> free indian advice of the type found in the vedas and the gita. it is 
> good, sound, correct and it works; and free (hey, that sounds like 
> linux!). however, you cant sue me or iit madras if you get lung 
> cancer/bubonic plague/excessive pimples because you used my advice.
> 
> the specific setting:
> ------------------
> using annauniv example, the isp assigned 'internet valid' ip addresses 
> are 202.54.64.96 to 111; so the netmask for the subnet is 
> 255.255.255.240 or /28; this / notation is so compact that i will use it 
> from here on.  your linux box may or may not support this type of 
> notation in the setup commands; if it does not, you will have replace 
> the /28 (or whatever) with 'netmask 255.255.255.240' (or whatever). the 
> anna univ 'valid' subnet can be thus denoted as 202.54.64.96/28. the 
> firewall host is connected to the router - and in fact is the only host 
> connected to the router. in a sense, the presence of internet on the 
> anna univ campus is limited to that small segment of the ethernet 
> network (cables/hubs whatever) that connects the router to the firewall.  
> the firewall uses an ip of 202.54.64.101 on eth0 (which connects to the 
> router) and 10.1.1.1 on eth1; eth1 connects to the campus network 
> (intranet). the campus network uses private 10.x ip numbers for all the 
> hosts. the single firewall sits between the campus network and the 
> internet. now, it is proposed to add a new host in the intranet with an 
> ip address of 10.1.1.30; this host needs to be visible on the internet 
> with an ip address of 202.54.64.102. there is also another host 
> 10.1.1.100 which is an intranet only host (no direct access to the 
> internet; it accesses internet through the firewall). how to do routing 
> for this setup?
> 
> the solution
> -----------
> i will start with the router and work my way into the network. i dont 
> know the address given to the ethernet interface of the router, so i 
> will assume it is 202.54.64.97; this is the conventionally used address; 
> the lowest, 96, is reserved for the network, and the highest, 111, is 
> reserved for the subnet broadcast address; the lowest address available, 
> 97, is for the router/gateway, leaving the 13 addresses (202.54.64.98 
> through 110) available for other hosts in the intranet which need a 
> direct connection to the internet. the firewall uses 202.54.64.101, 
> leaving 12 more internet valid ip addresses. though my solution is for 
> 202.54.64.102, it obviously applies for any of these 12.
> 
> (read my important footnote regarding the single firewall configuration 
> in the indian context)
> 
> (1) router
> ---------
> default route points to the serial interface
> 202.54.64.101/32 points to the ethernet interface
> 202.54.64.102/28 points to 202.54.64.101
> (router programming depends on vendor and model; consult router manual 
> to figure out how to make the entries as above. the second entry is a 
> host route and the third entry is a gateway route to a subnet)
> 
> without the firewall, the standard routing on the router would be
> default points to the serial interface
> 202.54.64.96/28 points to the ethernet interface
> 
> (2)firewall
> ----------
> (first setup the two ethernet cards)
> 
> ifconfig eth0 202.54.64.101/28
> ifconfig eth1 10.1.1.1/x  (appropriate netmask to be added depending on 
> how large the 10.x local domain is; i will just show this with an x; i 
> am assuming the intranet is sized for at least 256 addresses so x is 24 
> or lower)
> 
> (and now, the routing)
> ip address of router points to eth0 device
> 202.54.64.96/28 points to eth1 device
> 10.1.1.1/x points to eth1 device
> default route points to ip address of router (202.54.64.97 assumed)
> 
> the following commands will accomplish this routing; some of these may 
> have been automatically added by the system during installation.
> 
> route add -host 202.54.64.97 dev eth0
> route add -net 202.54.64.96 netmask 255.255.255.240 dev eth1
> route add -net 10.1.1.0 netmask x dev eth1
> route add default gateway 202.54.64.97
> 
> note that since both 202.x and 10.x are present on the intranet, the 
> interface connecting to the intranet (eth1) has a routing entry for 
> both. the internet is accessed through the router on eth0 and the other 
> two routing entries set this up.
> 
> (and finally, the firewalling)
> the firewall will need to have ip forwarding enabled. suitable ipfwadm 
> or ipchains rules will have to be put in place to control access as per 
> polciy.  10.x intranet hosts can gain access to internet through a 
> suitable masquerading rule. in fact, a broad rule can be used to allow 
> all hosts on the 10.x intranet to completely access internet (all these 
> accesses will appear to come from the firewall internet ip 
> 202.54.64.101).  however, this access will be one-way, meaning, users in 
> the intranet can access the internet, but not vice-versa; connections 
> can be made from the intranet to the internet, but not vice-versa 
> (though data can flow in both directions). in users language, this will 
> mean one can do web browsing, but not web hosting; one can send mail out 
> directly but not receive. one can ftp - well, not actually. ftp needs 
> two connections, one opened by the server and one by the client. clients 
> in the internet cannot use an intranet ftp server. even clients in the 
> intranet cannot use an internet ftp server since the server cannot open 
> up the connection to the client.  only if the ftp client and ftp server 
> support the passive feature can ftp work through the firewall.
> consult the firewall howto which has a good explanation of how to set up 
> ipfwadm or ipchains; the howto also has pointers to other documentation 
> on ipfwadm and ipchains.
> 
> and finally, i present the last step of the routing, the intranet hosts.
> 
> (3) intranet hosts
> ----------------
> (a) pure intranet hosts with 10.x addresses only; the routing for these 
> should have 
> 10.x pointing to eth0; the address for the example host is 10.1.1.100. 
> the routing should have
> 
> 202.54.64.96/28 pointing to eth0
> default pointing to 10.1.1.1, the internal interface of the firewall
> 
> the commands to do this are
> 
> ifconfig eth0 10.1.1.100/x
> 
> route add -net 10.1.1.0 netmask x dev eth0
> route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
> route add default gateway 10.1.1.1
> 
> however, this leaves the router inaccessible since it is beyond the 
> firewall and not on the intranet.  same is true of the external 
> interface 202.54.64.101 on the firewall. to be able to access the router 
> from this host, a host route has to be added.
> 
> route add -host 202.54.64.97 gateway 10.1.1.1
> 
> of course, access to the router from this intranet host will be 
> controlled by the firewalling rules. a similar host route has to be 
> added if one wants to access the firewall external interface (route add 
> -host 202.54.64.101 gateway 10.1.1.1); remember, the firewall machine 
> itself can be conveniently accessed using the 10.1.1.1 address. access 
> to the external interface may be needed, for example, for some mail 
> purposes.
> 
> as an alternate arrangement, a 10.x address can be assigned to each of 
> the internet hosts on the intranet (not only the firewall), making them 
> visible on the intranet directly. this will need ip aliasing support on 
> all the internet hosts (the hosts with the 202 series ip addresses). in 
> that case, the first route shown above (10.x pointing to eth0) will open 
> up this access and all the routing entries except the default entry 
> become superfluous.  i believe this is a better arrangement since 
> generic 10.x hosts need not know anything about the existence of the 202 
> hosts at all. in a sense, the presence and access to internet is 
> transparent to users on 10.x machines. they need not know anything about 
> routing and simply use the appropriate 10.x gateway(s) to access 
> internet services.  the corresponding routing for the internet hosts is 
> shown at the bottom of the next section.
>  
> (b) internet hosts on the intranet i.e., hosts with 202 series ip 
> addresses; example, 202.54.64.102; eth0 can be configured with this ip 
> address. the routing is as follows.
> 
> 10.x pointing to eth0
> 202.54.64.96/28 pointing to eth0
> 202.54.64.97 pointing to 10.1.1.1
> default pointing to 202.54.64.97
> 
> the commands to do this are
> 
> ifconfig eth0 202.54.64.102/28
> 
> route add -net 10.1.1.0 netmask x dev eth0
> route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
> route add -host 202.54.64.97 gateway 10.1.1.1 
> route add default gateway 202.54.64.97
> 
> as in case 3-a, the external interface of the firewall is not accesible 
> directly at this stage. if this access is needed, one needs to add a 
> route for that pointing to the internal interface of the firewall as was 
> done in case 3-2 (route add -host 202.54.64.101 gateway 10.1.1.1).
> 
> the above is applicable if the internet hosts on the intranet are not 
> given the local 10.x series addresses through aliasing. if one chooses 
> the alternate arrangement of giving a 10.x address also to these hosts, 
> we have the following.
> 
> ifconfig eth0 202.54.64.102/28
> ifconfig eth0:0 10.1.1.30/x
> 
> route add -net 10.1.1.0 netmask x dev eth0:0
> route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
> route add -host 202.54.64.97 gateway 10.1.1.1 
> route add default gateway 202.54.64.97
> 
> if, for some reason, it is preferred to give 10.1.1.30 as the eth0 
> address and 202.54.64.102 as the additional (aliased) address eth0:0, 
> eth0 and eth0:0 will have to be interchanged in the above to get
> 
> ifconfig eth0 10.1.1.30/x
> ifconfig eth0:0 202.54.64.102/28
> 
> route add -net 10.1.1.0 netmask x dev eth0
> route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0:0
> route add -host 202.54.64.97 gateway 10.1.1.1 
> route add default gateway 202.54.64.97
> 
> that completes the solution; there are other ways of acheiving this, but 
> this one will work.
> 
> footnote: (1) this type of single point firewalling is generally not 
> necessary in the indian context. since the router at the vsnl end will 
> only route packets to the 202.54.64.96/28 subnet (these being the only 
> 'valid' internet ip addresses), the 10.x hosts are absolutely safe from 
> direct attack from the internet. since only 202.54.64.96/28 hosts are 
> visible on the internet, one of the hosts in this set will have to be 
> broken into before any of the 10.x hosts can be attacked. the only thing 
> gained by putting two ethernet cards on 202.54.64.101 is that this ONE 
> host (not just any one of the 202.54.64.96/28 subnet) will have to be 
> broken into before any other host can be attacked.  one could argue that 
> maintaining one secure host is easier than maintaining 13; however, with 
> a reasonably fast leased link, a simple pc as the single firewall may 
> result in a bottleneck; this can lead to inability to utilize the 
> bandwidth available on the leased line. a dedicated firewall box or 
> atleast, a linux router type box may be in order.  however, this type of 
> firewalling is usually called for only if all (or many) of the hosts 
> behind the firewall have externally visible ip addresses since it can 
> protect weakly configured hosts (say, user configured/administered 
> windows type machines). for example, if annauniv had the address space 
> of 202.54.64.x/24 (256 ip addresses) or lower than /24  - say /23 or /22 
> or whatever - (more than 256 ip addresses), they could assign 
> 202.54.whatever type ip addresses to ALL hosts on their campus network. 
> then, ALL these hosts would be directly on the internet and would be 
> fair game for direct attack from anywhere in the world.  this is a 
> typical corporate setup in the west and hence the need for double 
> ethernet card firewall at the point(s) of entry.  the limited 
> availability of ip addresses in india (and the world in general, i 
> suppose) means that even 2mbps leased line customers get far fewer 
> addresses than the the number of machines they have; this leads to a 
> standard indian setup of intranets based entirely on reserved ips (and 
> thus automatically isolated from the internet) and only a relative 
> handful of the hosts on the intranet having direct access to the 
> internet.  the western type firewall is probably inappropriate for use 
> in this type of situation. one can reasonably  assume that the limited 
> 'valid' ip addresses would be in demand and would only be dished out 
> only to well managed/configured/administered server class machines, 
> which would be reasonably difficult to break into (unlike a user 
> administered windows type machine). moral of this story: if you want to 
> market this type of firewall solution in india, and if your potential 
> client is wise enough to seek my counsel (!), your price be real cheap 
> or there goes your sale.
> 
> (2) introduction to firewalls: there are basically two types of 
> firewalls - the forwarding/filtering type and the proxying type.  the 
> forwarding/filtering type has two ethernet cards, one connected to the 
> internet and the second to the intranet. the first is the outside of the 
> firewall and the second, the inside. ipforwarding is enabled on the 
> firewall selectively to control what traffic can get through. ipfw, 
> ipfwadm and ipchains are software packages that can be used to provide 
> this control function. in the proxy type firewall, the intranet hosts 
> are blocked from the internet (and vice versa) by the router connecting 
> the network to internet; select hosts have access to the internet and 
> these serve as proxies for the others. i.e., an intranet host needing an 
> internet service forwards the request to an internet enabled host; this 
> host then performs the service and returns the results to the 
> originating host. the squid web proxy is a well known example for this 
> type of transaction. a browser makes a request to the squid proxy, which 
> fetches the information from the internet and presents the resulting web 
> pages to the browser. in general, one proxy program is required for each 
> of the services that needs to be provided. the socks package can be 
> used to get around this problem of one program for each service. it is a
> generic package and can be used to proxy multiple services; it basically
> passes along a generic request for service that it receives but with
> itself as the requester; the returned results are passed back
> appropriately. with the proxy approach, the user application has to be
> redirected to obtain service from the appropriate proxy server and not
> directly. in a browser, this may simply mean turning on an option to use a
> proxy and entering the proxy address. however, for most other
> applications, a recompile may be called for, especially if the service is
> through socks (this is known as sockifying an application). for windows
> users, there is the well known trumpet winsock package which provides the
> socks functionality. there is also another tool that is useful - the tis
> fwtk (firewall tool kit). this is a generic proxying type package and
> provides good control over what services are provided through the proxy
> and to whom. read the firewall howto for further information.
> 
> ---
> Visit our home page at: www.chennailug.org
> Send e-mail to 'ilugc-request@xxxxxxxxxxxxxxxxxx' with 'unsubscribe' 
> in either the subject or the body to unsubscribe from this list.
---
Visit our home page at: www.chennailug.org
Send e-mail to 'ilugc-request@xxxxxxxxxxxxxxxxxx' with 'unsubscribe' 
in either the subject or the body to unsubscribe from this list.