[H-GEN] Back to the invisable subnet
The memory remains
memory at techie.com
Fri Jul 25 12:59:03 EDT 1997
Hey there.
Now that I've done a bit more research, and have had alot
explained to me by a prominant humbug member in person I belive I can
refine my original invisable subnet question:
Ok. I have a class C subnet with real internet ips.
I need to firewall -some- of the subnet, but not all of it. ie,
I want a computer physically seperating the two groups, and passing data
back and forth after checks to firewall rules. It would be nice if this
computer was "invisable" to my side of the subnet, while it is -essential-
that it be "invisable" to the other side of the subnet.
Here is a kinda rough diagram:
internet eth0 eth1
<-------x.x.x.1------x.x.x.129-----x.x.x.130 etc...
| (inner)
(outer) |
x.x.x.2 etc...
Where 129 is the machine I'm inserting. Of course, I made these
numbers up, but they resemble pretty closely the real thing. A note to
those thinking of trying to break in: Hopefully the true weebles have
been bored to tears by this point and won't try it. Those with a little
skill should realise that this network is far too trivial to attack to be
worth their bother.
Anyway, once a packet gets to the invisable firewall (x.x.x.129)
it's easy enough to use routing rules to deliver the packet safely, if it
doesn't break the firewall rules.
The trick is to make sure the packets are recieved. What would
be -really- cool is if I could coerce 129 to respond to arp requests from
the outer net and destined for computers on the inner net with it's own
hardware address. Conversely, it should respond to arp requests from the
inner net with it's own also.
In the mean-time it can't allow it's own arp table to get
confused as to where the packets go.
Does anyone know if this is easy/possible with current software,
or whether kernel hacking is required? I'd rather not go to kernel
hacking since the only experience I have with it is a brief chatter with
ne.c, the ne2000 driver. All I did then was add a clause to an if
statement to ensure that it never detected a true ne2000 on port 0x320.
<grin> I even got that wrong the first time!
If anyone can help me it would be -much- appreciated. I'm
learning to swim quickly, but I'm still a fair league out of my depth.
The memory remains <memory at techie.com>
/// /// /// /// /// ///
/// /// /// /// /// /// /// ///
/// // /// ///
/// /// /// /// //////// ///
/// /// ///// ///
Web page at http://student.uq.edu.au/~s335810
----------------------- HUMBUG General List --------------------------------
echo "unsubscribe general" | mail majordomo at humbug.org.au # To Unsubscribe
More information about the General
mailing list