Route Additional Networks Through the Firewall
192.168.1.0
192.168.2.0
192.168.3.0
You have only one connection into the Internet, which resides at the 192.168.1.0 network. The internal IP address of this firewall is 192.168.1.254. You have routers at each site, connecting them together into an internetwork, at the following addresses: 192.168.1.253, 192.168.2.253, 192.168.3.253. Thus, we have the following design:
You would like to give the workstations at each site access to the Internet, without having to establish separate Internet connections and firewalls at each site.
This section describes the configuration on the firewall at 192.168.1.254 to accomplish this. Note, however that there is more involved than just following these steps. There will be a configuration setting on the router at 192.168.1.253 required. Configuring the router is beyond the scope of this document, however I will offer this as a starting point: I have established a static route at this router pointing to the firewall, for all packets that could not otherwise be routed (i.e., to 192.168.2.0, or 192.168.3.0). My workstations (at all sites) all point to their local router (192.168.x.253) as the default gateway, and, since I do DNS caching on the firewall, they all point to the firewall for DNS services. With that said, let's assume you have created that static route, and begin configuring the firewall to do the rest.
|
1 |
If you have not already set up Seattle Firewall, you will need to do so now. See Seattle Firewall Basic Configuration for details on how to do this. |
|
2 |
Insure you are at the lrcfg main menu. |
|
3 |
Type [1], [Enter] to go into the Network Cconfiguration menu, then [1], [Enter] to edit the /etc/network.conf file. |
|
4 |
Scroll down to the in the Interface activation/deactivation section that reads: # Do universal interface config items here If you look just above this line, you will see a line with only the word "esac" on it. |
|
5 |
Between the "esac" line, and the 'Do universal' line, insert the following lines:
#Begin multiple networks configuration The first IP address in each line is the network address of a remote network which will be routed through your firewall. The /24 is the mask number which represents the subnet mask for each of those networks. The "eth1" is the interface on the firewall which is routing packets across your private intranet, or rather, your internal interface. The last IP address in each line is the local router which will forward the packets to the appropriate remote network. |
|
6 |
Press [Alt]-[w] then [Enter] to save this file. |
|
7 |
Press [Alt]-[q] to exit back to the lrcfg menu. |
|
8 |
Type [q] [Enter], then [q] [Enter] again to return to the lrcfg main menu. |
|
9 |
Select option 3) Package settings then press [Enter] |
|
10 |
Type the number next to seawall then press [Enter] |
|
11 |
Select option 1) Config then press [Enter] |
|
12 |
Scroll down to the localnets variable (in section 3). Note: If you're running seawall 3.2.x, this variable will be called "networks". |
|
13 |
Add the network address, followed by a slash (/) and the mask number, for each remote network you wish to route through the firewall. Each address/mask set should be separated by a space. In the scenario above, this would look like: localnets="192.168.2.0/24 192.168.3.0/24" |
|
14 |
Press [Alt]-[w] then [Enter] to save this file. |
|
15 |
Press [Alt]-[q] to exit back to the lrcfg menu. |
|
16 |
Type [q] [Enter], then [q] [Enter] again to return to the lrcfg main menu. |
|
17 |
Back up the firewall now. |
Contents
Shut Off Selected Inbound Traffic Types
Make Your Own Internal Server(s) Available to the Public