[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | Digital Brouters Conference |
| Notice: | New common-code brouter family: RouteAbout, DECswitch 900 |
| Moderator: | MARVIN::HART�LL |
|
| Created: | Mon Jul 17 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 929 |
| Total number of notes: | 3736 |
849.0. "Route About as firewall" by COPCLU::PALMANN () Fri Apr 11 1997 09:52
I'm seting up a simple firewall, based partiualy on a Route About Access.
The setup is as seen below.
The Internet addresses is changed, so they are not actual
Can any one point out any obvius fails, or some thing I overlooked.
I'm specialy interrested in the Route About security part.
-------------------------------My setup-----------------------------------
/----172.27.0.0------------The internal net-----/
|
-------------
| 172.27.x.y |
| NT 4.0 |
| exchange |
| 94.192.110.2|
-------------
|
/-----------'RED net'--------------------------/
| |
-------------- --------------
| 94.192.110.3 | | 94.192.110.1 |
| PC Win 95 | | Route About |
| WEB browser | | 93.90.56.128 |
-------------- --------------
|
|
to I.S.P. ( The Inetrnet )
----------------------------------------------------------------------------
I would like:
A:
From the 'internal net', I want mail/SMTP from the
NT-Exchange server, to and from the any node on the Internet.
B:
From one PC at the 'RED net', I want to run a WEB browser
against the Internet.
Setup:
1. The NT-Exchange server do not route, and only responds to DNS and SMTP
( port 53 & 25 ) on the 'Red net' 94.192.110.2
2. The Windows95 PC on the 'Red net' has been made very 'handicaped', and do
not have any tcp/ip servers running.
3. The Route About IP router is set up as follows:
-----------------------------------------------------------------------------
Config>p 0
Internet protocol user configuration
IP config>list all
Interface addresses
IP addresses for each interface:
intf 0 94.192.110.1 255.255.255.0 Network broadcast, fill 1
intf 1 IP disabled on this interface
intf 2 IP disabled on this interface
intf 3 93.90.56.128 255.255.255.0 Network broadcast, fill 1
Routing
route to 0.0.0.0,0.0.0.0 via 93.90.56.128, cost 1
Filter address 172.27.0.0, 255.255.0.0
Protocols
BOOTP forwarding: disabled
Directed broadcasts: enabled
ARP Subnet routing: disabled
RFC925 routing: disabled
OSPF: disabled
Per-packet-multipath: disabled
RIP: disabled
EGP: disabled
IP config>list access
Access Control is: enabled
List of access control records:
Beg End Beg End
Ty Source Mask Destination Mask Pro Pro Prt Prt
1 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 6 6 25 25
2 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 6 6 25 25
3 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 6 6 53 53
4 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 6 6 53 53
5 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 17 17 53 53
6 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 17 17 53 53
7 I 0.0.0.0 00000000 94.192.110.3 FFFFFFFF 0 255 0 65535
8 I 94.192.110.3 FFFFFFFF 0.0.0.0 00000000 0 255 0 65535
9 E 0.0.0.0 FFFFFFFF 0.0.0.0 FFFFFFFF
--------------------------------------------------------------------------
My explanation to the access list :
Line 1: any address can send SMTP mail to 94.192.110.2
Line 2: 94.192.110.2 can send SMTP mail to any address
Line 3: 94.192.110.2 can send DNS on TCP to any address
Line 4: any address can send DNS on TCP to 94.192.110.2
Line 5: any address can send DNS on UDP to 94.192.110.2
Line 6: 94.192.110.2 can send DNS on UDP to any address
Line 7: any address can send any thing to 94.192.110.3
Line 8: 94.192.110.3 can send any thing to any address
Line 9: exclude any thing else
Whant do you think ? _
Any holes, or comments ?
Jan
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 849.1 | Make sure you allow access to the router (if you need it) | MARVIN::HART | Tony Hart, InterNetworking Prod. Eng. Group | Mon Apr 14 1997 10:52 | 44 |
| >Routing
>
>route to 0.0.0.0,0.0.0.0 via 93.90.56.128, cost 1
>
The 'via' address must be the address of your ISP's router not your
own address as you have here.
>
>Filter address 172.27.0.0, 255.255.0.0
>
This will prevent forwarding of *any* packet to 172.27 (your internal
network) if the packet matches this route in the forwarding table, which it
will since the only routes you have are static routes. i.e. the RA will not
forward any packets it receives which are addressed to 172.27.*.*.
So you need to remove this filter.
> Ty Source Mask Destination Mask Pro Pro Prt Prt
>1 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 6 6 25 25
>2 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 6 6 25 25
>3 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 6 6 53 53
>4 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 6 6 53 53
>5 I 0.0.0.0 00000000 94.192.110.2 FFFFFFFF 17 17 53 53
>6 I 94.192.110.2 FFFFFFFF 0.0.0.0 00000000 17 17 53 53
>7 I 0.0.0.0 00000000 94.192.110.3 FFFFFFFF 0 255 0 65535
>8 I 94.192.110.3 FFFFFFFF 0.0.0.0 00000000 0 255 0 65535
>9 E 0.0.0.0 FFFFFFFF 0.0.0.0 FFFFFFFF
One problem I can see is the last line, the masks need to be 0.0.0.0 to
exclude any source or destination (not FFFFFFFF). In fact you can remove rule
9 altogether since the default action is to exclude the packet.
Note however that the above rules will mean that you won't be able to
telnet to the router itself, so you probably want to add a line that allows
router originated packets to be sent anywhere and line that allows telnet/SNMP
access to the router (or just allow any packet addressed to the router).
I strongly recommend that you test these configurations before
employing them because its notoriously hard to get these things right the first
time.
Tony
|
| 849.2 | | COPCLU::PALMANN | | Wed Apr 16 1997 07:05 | 5 |
| Hi Tony,
Thanks for taking the time, to comment on my setup.
I will ajust the setup, and 'move in to the test fase'.
Jan
|