[CentOS] Still Confused about Firewalling

Mon Oct 19 18:38:18 UTC 2009
Monty Shinn <montys at videopost.com>

ML wrote:
> Hi All,
> 
> Sorry, I am still confused about implementing a firewall without  
> having my ISP static route all of my traffic to my public IP's to a  
> single public IP.
> 
> So before when I have done this for work all traffic has been  
> statically routed.
> 
> Now I have a comcast modem and it is 'pass through' so traffic for all  
> my 13 IP's is allowed and I have to decide what to do.
> 
> So I am looking at Vyatta or UnTangle. I have a machine with 3 NIC'e  
> in it. I think one would be In, DMZ and last private.
> 
> What happens? I have one cable from my comcast gateway to my firewalls  
> NIC, but how does it answer for all IP's that I have so i can evaluate  
> the request incoming to a rule set and decide if allowed or denied?
> 
> I am missing something fundamental!  Can anyone help this click in my  
> head? Without statically routing my traffic I dont get it.
> 
> Say a request comes to my webserver 172.13.167.xxx on port 80, but my  
> firewall's IP for the card is 172.13.167.zzz how does it answer for  
> 172.13.167.xxx?
> 
> -Jason
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

You are looking for aliases.

Most probably in your firewall settings you can set up aliases, so the 
"main nic", with an ip address of 172.13.167.xxx will also capture 
172.13.167.xxx +1 and so on.

(IPCOP and pfsense has these options for sure.)

So, you will end up with a "default IP", which is the ip of your 
firewall, and 12 aliases.

Then you can port forward any of those public ip's to the desired 
private ips.

IIRC, the linux nomenclature would be similar to "eth0" "eth0:1" etc... 
with different public ip addresses referencing the same hardware nic.

Hope this helps.

Monty