firewall protection HELP

To all,

I have a block of IP from my ISP, and I would like to setup a few
servers at my house. The servers are WWW, FTP, and a game server with
each using a public IP from my ISP. I want to protect them with a linux
firewall but still maintain their public IP. Also, my house have a few
computers using 192.168.*.* IPs. Is it possible to have a linux box with
3 NICs to firewall the servers and routing 192.168.*.* network?

I read about proxy ARP but I don't know exactly how that works and setup.

Any help? Thanks in advance

Latest

Latest News wrote:
> To all,
>
> I have a block of IP from my ISP, and I would like to setup a few
> servers at my house. The servers are WWW, FTP, and a game server with
> each using a public IP from my ISP. I want to protect them with a linux
> firewall but still maintain their public IP. Also, my house have a few
> computers using 192.168.*.* IPs. Is it possible to have a linux box with
> 3 NICs to firewall the servers and routing 192.168.*.* network?
>
> I read about proxy ARP but I don't know exactly how that works and setup.
>
> Any help? Thanks in advance

The arp_proxy sysctl setting (/proc/sys/net/ipv4/conf/...) is probably
what you found. That won't help you.

Try "ip neigh add proxy <address> dev <iface>" instead, where <address>
is one of the public addresses you have, but NOT the one actually
assigned to the external interface. <iface> is the external interface.

That way when the ISP arps for your <address>, your firewall responds
that it is that address (to the outside world), even though it isn't
really. But it knows the route to the box you're going to set up as
that virtual address.

Then use netfilter to forward the <address> destination to one of your
selected internal (192.168.x.x) addresses.

Alternatively, you can set up a different leg off your firewall so that
the public addresses are real addresses. But I think that gets uglier,
because you have to make sure the firewall can handle two different
subnets with overlapping addresses.

HTH

On Mon, 05 Jun 2006 18:16:36 -0400, Latest News
<(E-Mail Removed)> wrote:

>To all,
>
>I have a block of IP from my ISP, and I would like to setup a few
>servers at my house. The servers are WWW, FTP, and a game server with
>each using a public IP from my ISP. I want to protect them with a linux
>firewall but still maintain their public IP. Also, my house have a few
>computers using 192.168.*.* IPs. Is it possible to have a linux box with
>3 NICs to firewall the servers and routing 192.168.*.* network?
>
>I read about proxy ARP but I don't know exactly how that works and setup.

I hear that. The documentation STINKS.

>Any help? Thanks in advance
>
>Latest

Your question does not describe the topology of what you envision, so
this may not be appropriate. At work we installed a computer with 2
NICs. One faces the internet ("WAN") and the other faces the LAN.
The WAN interface uses proxyARP to listen to all of the assigned IPs
and a firewall determines who gets what. This firewall is augmented
by another firewall on each machine on the LAN.

If you want to "see" the firewall,
ftp://yesican.chsoft.biz/pub/lartc/firewall.sh

Also, http://yesican.chsoft.biz/lartc/index.html
(at the top of the page under EXAMPLES) may help.

http://yesican.chsoft.biz/lartc/rc_proxyarp.txt
is the NIC config script.

http://yesican.chsoft.biz/lartc/proxy-arp.sh and
http://yesican.chsoft.biz/lartc/proxy-arp.conf
do the proxyARP. I set it up this way because using /proc caused the
WAN to ARP reply IS-AT for inappropriate traffic.

Since then, a third interface with a 192.168 IP was added because that
speeds up LAN to LAN traffic, but the FTP site and the web page don't
document that.
--
buck