ADSL Router+firewall

Hallo,

I have to add a firewall. Probably I will not buy a dedicated firewall, but
I will use a linux box insteed. Now here is my current situation:
5 PCs in a LAN. (192.168.0.0/16)
1 ADSL Modem/Router (192.168.0.1, DHCP Server, default gateway for the pcs).
Mixed OSes (3 Windows XP Home, 1 XP Pro, 1 Suse Linux).
Now, I want to add the firewall without any kind of changes at the current
use of ADSL Modem.

My thought was to have a linux box with Squid, Bind, Apavhe, qmail etc and
to configure it as the default gateway of 192.168.0 network (internal net)
and use a senond NIC 192.168.1 for the connection with the Router.
Now the questions:
Using 2 NICs I have to bridge them, don't I? Or I can just use a mask?
Is it possible to keep the router or I have to use NAT at the linux box?
Thank you in adnvance.
--
==============
Peter Tselios

Peter Tselios <???@?????.??> wrote in message news:<bod2b1$2rhd$(E-Mail Removed)>...
> Hallo,
>
> I have to add a firewall. Probably I will not buy a dedicated firewall, but
> I will use a linux box insteed. Now here is my current situation:
> 5 PCs in a LAN. (192.168.0.0/16)
> 1 ADSL Modem/Router (192.168.0.1, DHCP Server, default gateway for the pcs).
> Mixed OSes (3 Windows XP Home, 1 XP Pro, 1 Suse Linux).
> Now, I want to add the firewall without any kind of changes at the current
> use of ADSL Modem.
>
> My thought was to have a linux box with Squid, Bind, Apavhe, qmail etc and
> to configure it as the default gateway of 192.168.0 network (internal net)
> and use a senond NIC 192.168.1 for the connection with the Router.
> Now the questions:
> Using 2 NICs I have to bridge them, don't I? Or I can just use a mask?
> Is it possible to keep the router or I have to use NAT at the linux box?
> Thank you in adnvance.

Take a look at some of the HOWTO's here, they should help you with your setup:

http://www.tldp.org

On Thu, 06 Nov 2003 10:57:18 +0200, Peter Tselios <???@?????.??> wrote:
> Hallo,
>
> I have to add a firewall. Probably I will not buy a dedicated firewall, but
> I will use a linux box insteed. Now here is my current situation:
> 5 PCs in a LAN. (192.168.0.0/16)
> 1 ADSL Modem/Router (192.168.0.1, DHCP Server, default gateway for the pcs).
> Mixed OSes (3 Windows XP Home, 1 XP Pro, 1 Suse Linux).
> Now, I want to add the firewall without any kind of changes at the current
> use of ADSL Modem.
>
> My thought was to have a linux box with Squid, Bind, Apavhe, qmail etc and
> to configure it as the default gateway of 192.168.0 network (internal net)
> and use a senond NIC 192.168.1 for the connection with the Router.
> Now the questions:
> Using 2 NICs I have to bridge them, don't I? Or I can just use a mask?
> Is it possible to keep the router or I have to use NAT at the linux box?

You do not have to bridge. But your modem/router is not going to know
about the other subnet or how to route to it, so you either need to masq
your other boxes (which may be easiest and safest), or do something with
proxy_arp that would work similar to bridging.

DHCP from the modem/router would definitely not work through Linux
masquerade, and I doubt if DHCP would work through proxy_arp either, since
to the DHCP server, all your other boxes would appear to come from the
same MAC. So if you wanted to do DHCP for your other boxes, your Linux
box would have to do dhcpd.

Proxy arp example:

eth0 192.168.0.2 netmask 255.255.255.255 broadcast (same as IP),
host route to 192.168.0.1, default gw 192.168.0.1

eth1 192.168.0.3 netmask 255.255.255.0

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
(likewise for /proc/sys/net/ipv4/ip_forward unless your network scripts
have some other way to enable that).

Boxes behind eth1 could use any IP 192.168.0.4-192.168.0.254 netmask
255.255.255.0 default gw 192.168.0.1

All need proper nameserver(s), which in my case, I run myself with
forward/reverse zones added for my LAN.
--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

On Thu, 06 Nov 2003 10:57:18 +0200, Peter Tselios wrote:

> Hallo,
>
> I have to add a firewall. Probably I will not buy a dedicated firewall,
> but I will use a linux box insteed. Now here is my current situation: 5
> PCs in a LAN. (192.168.0.0/16)
> 1 ADSL Modem/Router (192.168.0.1, DHCP Server, default gateway for the
> pcs). Mixed OSes (3 Windows XP Home, 1 XP Pro, 1 Suse Linux). Now, I
> want to add the firewall without any kind of changes at the current use
> of ADSL Modem.
>
> My thought was to have a linux box with Squid, Bind, Apavhe, qmail etc
> and to configure it as the default gateway of 192.168.0 network
> (internal net) and use a senond NIC 192.168.1 for the connection with
> the Router. Now the questions:
> Using 2 NICs I have to bridge them, don't I? Or I can just use a mask?
> Is it possible to keep the router or I have to use NAT at the linux box?
> Thank you in adnvance.

Is there any particular reason that you don't want to use a hardware
router? They are cheap, effective, consume almost no power, easy to
administer and you don't have to waste a whole computer on a function that
can be accomplished with a much cheaper device.

If you are really paranoid you could use two levels of firewalling, the
router as the first level and your Linux box as the second. Personally I
think that a router is enough.