Here I show an example installation where the linux box is the firewall and
dial up server on ppp0 plus it does local routing for two local
ethernet networks connected to eth0 and eth1.
The rc.firewall script can handle this configuration if the variables
are set up correctly in /etc/rc.firewall.var (see
Configuring /etc/rc.firewall.var).
The IP addresses used internally are those of the private IP range 192.168.x.x
where 192.168.1.x/255.255.255.0 is used for segment 1 connected to the linux
box on eth0 and 192.168.2.x/255.255.255.0 for segment 2 on the
interface eth1.
The IP addresses used on the linux box are 192.168.1.1 on eth0
and 192.168.2.1 on eth1.
The PCs or any other IP device on the segments, e.g. standalone print server, are numbered 192.168.1.2 to .254 and 192.168.2.2 to .254 respectively.
On startup of the linux box the /etc/rc.d/rc.firewall script is called
in /etc/rc.d/rc.local to restrict all outgoing request over
sl0, the snoop device. There´s no need to restrict on
ppp0 at boot time because there is no connection and diald will
change that for us when needed.
The connection to the ISP is done via ppp0 (or ippp0 if using
ISDN). The ISP can dynamically assign an IP address for ppp0 via the
ppp connection which is then used to identify the whole internal network on the
internet using IP masquerading. To make this happen diald is used to set up the
required firewall rules when the official IP address is received via ppp.
Therefore the option addroute /etc/rc.d/rc.firewall.diald.add is
used in /etc/diald.conf.
If the ppp connection is up and the proper firewall rules are installed every configured service like www, ftp, email etc. can be used from inside to the internet. You should be very restrictiv in allowing any services coming from the internet into your internal network! The more you allow from outside the more security holes can be opened to hackers!
If the connection times out because there´s no more traffic from or to the
internet diald brings the line down. As stated above diald uses sl0
as the so called snoop device for discovering which packet is allowed
to open the connection so we have to change the firewall rules back from
ppp0 to sl0. This is done in /etc/diald.conf with
the delroute /etc/rc.firewall.diald.del option.
/----------\
| |
| Internet |
| |
\----------/
:
:
/-----\
| ISP |
\-----/
:
: PPP (modem or ISDN)
:
+----------+
| (i)ppp0 |
eth0| |eth1
+------------| Linux- |-----------+
| .1| Firewall |.1 |
| | | |
| +----------+ |
| |
| 192.168.1.x 192.168.2.x|
|------------------| |------------------|
| | | |
|.2 |.3 |.2 |.3
+------+ +------+ +------+ +------+
| PC11 | | PC12 | ... | PC21 | | PC22 | ...
+------+ +------+ +------+ +------+