Configuring the Network Addresses

Now we arrive at the fun part of our setup. I'm not going to go deep into how to setup a LAN. Read the Networking-HOWTO to solve your problems here.

Your goal is to provide two network connection to your filtering firewall system. One on the Internet (unsecured side) and one on the LAN (secure side).

Anyway, you have a few decisions to make.

1. Will you use Real IP number or Make some up for your LAN.
2. Will your ISP assign the number or will you be using static IP numbers?

Since you don't want the internet to have access to your private network, you don't need to use "real addresses". You could just makeup addresses for your private LAN. But this is not recommended. If data gets routed out of your LAN, it might end up at another systems port.

There are a number of Internet address ranges set aside for private networks. Of these, 192.168.1.xxx, is set aside and we will use it in our examples.

You will need to use IP masquerading to make this happen. With this process the firewall will forward packets and translate them into "REAL " " IP address to travel on the Internet.

Using these non-routable IP address makes your network is more secure. Internet routers will not pass packets with these addresses.

You may want to read the IP Masquerading HOWTO at this point.

            24.94.1.123  __________    192.168.1.1
      _/\__/\_        \ |          | /           _______________
     |        |        \| Firewall |/           |               |
    / Internet \--------|  System  |------------| Workstation/s |
    \_  _  _  _/        |__________|            |_______________|
      \/ \/ \/

You must have a "real" IP address to assign to your Internet network card. This address can be permanently assigned to you. (A static IP address) or it can be assigned at network connect time by the PPP process.

You assign your inside IP numbers. Like 192.168.1.1 to the LAN card. This will be your gateway IP address. You can assign all the other machines in the protected network (LAN) a number in the 192.168.1.xxx range. (192.168.1.2 through 192.168.1.254)

I use RedHat Linux. To configure the network at boot time I added a ifcfg-eth1 file in the /etc/sysconfig/network-scripts directory. You may also find a ifcfg-ppp0 or ifcfg-tr0 in this directory. These 'ifcfg-' files are used by RedHat to configure and enable your network devices at boot time. The are named after the connection type.

Here is the ifcfg-eth1 (second ehternet card) for our example;

    DEVICE=eth1
    IPADDR=192.168.1.1
    NETMASK=255.255.255.0
    NETWORK=192.168.1.0
    BROADCAST=192.168.1.255
    GATEWAY=24.94.1.123
    ONBOOT=yes

If you are going to use a dialup connection you will need to look at the ifcfg-ppp0 and the chat-ppp0 file. These control your PPP connection.

This ifcfg file might look like;

    DEVICE="ppp0"
    ONBOOT="yes"
    USERCTL="no"
    MODEMPORT="/dev/modem"
    LINESPEED="115200"
    PERSIST="yes"
    DEFABORT="yes"
    DEBUG="yes"
    INITSTRING="ATZ"
    DEFROUTE="yes"
    HARDFLOWCTL="yes"
    ESCAPECHARS="no"
    PPPOPTIONS=""
    PAPNAME="LoginID"
    REMIP=""
    NETMASK=""
    IPADDR=""
    MRU=""
    MTU=""
    DISCONNECTTIMEOUT=""
    RETRYTIMEOUT="5"
    BOOTPROTO="none"