Thanks Mike,
This is very helpful.
Eric

Michael Wittman wrote:

> On Tue, May 14, 2002 at 08:51:28AM -0700, Eric Richardson wrote:
> 
>>I'm really new to this so I'm trying to figure out what is important. 
>>Some simple questions would really help me.
>>Do you run the router to eth0-firewall-eth1 to switch or does the 
>>topology matter because of the layer of TCP being filtered?
>>
> 
> I have only one system behind the router, so effectively I have router
> to eth0.  If I were to set up a Linux firewall with other boxes behind
> it, I would do it as you've described.
> 
> 
>>On the 678, are you using it as the DHCP for your clients as well and is 
>>it in PPP mode?
>>
> 
> I've set the 678 to use a static IP for the box I have connected to
> it.  There's no reason you couldn't have it give you addresses through
> DHCP, although that probably would make it more difficult to configure
> it to let some ports pass through to a particular host.  My router is
> in PPP mode.
> 
> 
>>Are you using any fixed IP's behind the router/firewall?
>>
> 
> Yes, but it's on an internal network (192.168.1.0, I think).  The
> router is assigned the external IP address and does NAT for the host I
> have connected.  If you have real IPs on your network behind the
> router, I'm sure you could set it up to disable NAT and properly route
> the packets.
> 
> 
>>I'm sure this isn't too hard but when you don't understand it all it is 
>>pretty difficult. I bought the Linux Firewalls book and am working on 
>>the a dual homed host for a firewall (2.4 iptables). Now with adding the 
>>DSL router in PPP mode I'm not sure what should do what. Does the router 
>>get a dynamic IP as well? Anyway, any insight would be much appreciated.
>>
> 
> In theory, my router gets a dynamic IP through PPP, but I've yet to
> see it change.  You can read the external IP off the router, if you
> want to be able to connect to one of your internal hosts from outside.
> (I have a Perl script which does this if you're interested.)
> 
> My advice would be to first get the router up and running so that you
> have a connection.  Your ISP may have a page which describes their
> recommended router config.  Then set up your Linux firewall (if you're
> using NAT you probably won't get much, if any, external activity at
> this point).  Then mess with the router's NAT to map external ports on
> the router to ports on hosts on your internal network.  Then, if you
> care to do so, mess with the router's NAT and filtering as a second
> layer of security.
> 
> -Mike
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
>