[mdlug] Fire Wall rule

Robert Meier list1c30fe42 at bellsouth.net
Tue Apr 29 22:51:04 EDT 2008 

David,

Thanks for the detail and clear graphics.

> Internet 
> |
> |
> LinkSys Wireless Router (Home & WireLess Clients (192.168.1.X))
> |
> |
> HomeOffice FireWall/Router --- (DMZ) Webserver (10.26.26.99)
> |
> |
> Private Home Office Subnet (10.26.10.X)

> We have a Linksys Wireless router[.]
> It is connected to Wow Internet Services.
> The MAC address is set and we have a static IP Address.
> For The [Internal zone] the IpAddress is 192.168.1.10 [.]
> [T]he rule to forward to the web server is working
> so when I hit 192.168.1.10:80 it [forwards] to 10.26.26.99.
> With the simple port forwarding from the linksys that should be fine.  

> I can put a host in the 192.168.1.X and see the web server.
> [However] I [can't] see the web server from the home office
> internal (10.26.10.X).
> I can ping targets from the fire wall in each net.
> Each net has it's own hub and the mask is 255.255.255.0.

Suspected problem:
Linksys assumes a simple network layout (BCP5).
You are not using a BCP5 network layout.

So far as the hosts are concerned,
the "Webserver" is on a different network (10.26.26/24) than
the "Home Office Subnet" (10.26.10/24).
The Linksys router is on the 192.168.1/24 network,
and so can talk to other hosts on 192.168.1/24 network.
The Linksys router will also forward (relay between networks)
some (e.g. port 80) signals from 192.168.1/24 to 10.26.26.99 .

See Details below.



Likely solution:
See Details below before attempting.

1. Change masks in each 10.X.X.X host to 255.0.0.0 .
2. Change gateway in each 10.X.X.X host to 10.0.0.1 .
3. Change Linksys [Internal zone] IpAddress to 10.0.0.1 .

Internet 
|
|
LinkSys Wireless Router (Home & WireLess Clients (10.0.0.1/8))
|
|
HomeOffice FireWall/Router --- (DMZ) Webserver (10.26.26/8)
|
|
Private Home Office Subnet (10.26.10/8)



Detail:
The IP (Internet Protocol), also known as RFC791 and STD5,
identifies each host with an internet address or 32 bits (64 bits for IPv6),
which is divided into an network address (higher bits),
and a host address (lower bits).
The netmask expresses the dividing line between the network address bits
(1's) and the host address bits (0's)
By convention the 32 bits (binary) are broken into 4 octets and represented
in decimal separated by periods (dotted decimal).

web server address (dotted decimal):    10.26.26.99
                   (binary): 0000 1010  0001 1010  0001 1010  0110 0011

current web server netmask (dotted decimal):   255.255.255.0
                   (binary): 1111 1111  1111 1111  1111 1111  0000 0000

current web server network address
                   (binary)  0000 1010  0001 1010  0001 1010  0000 0000
                   (dotted decimal):    10.26.26.0
current web server host address
                   (binary): 0000 0000  0000 0000  0000 0000  0110 0011
                   (dotted decimal):                          99

Nominal configuration of the network software (ip stack) uses a list
of entries with 4 nominal values each.
   network-address gateway-address network-mask network-interface
The network-address, gateway-address, and network-mask are 32 bits
(64 bits for IPv6), and the network-interface identifies the driver
(e.g. eth0, lo, ...) to be used.

To nominally route a packet (outgoing network signal)
to a destination-address:
   1. Start at top of list.
   2. Does network-address == destination-address AND network-mask ?
   3. if no, go to next list entry and repeat step 2.
   4. If yes, send packet to gateway-address via network-interface.
    
See routes(5) for details.



Hosts can send packets directly to other hosts on the same network.
Hosts cannot send packets directly to hosts on other networks.
Hosts can sent packets to a gateway for forwarding (relay) to hosts
on other networks.



In most cases, network address sizes are 8, 16, or 24 bits,
respectively known as class A, B, and C networks.
The "INTER NET" protocol communicates between these networks.

By convention, a network address and network mask are often combined
as a dotted decimal network address followed by a slash and the number
of 1's in the netmask (xxx/8, xxx.xxx/16, xxx.xxx.xxx/24
for class A, B, and C networks).

The IANA (Internet Assigned Number Authority)
or their delegate (http://www.iana.org/)
assigns the network addresses, and has reserved some addresses
for special use (See RFC1918 also known as BCP5).
   0.0.0.0/x            "This host on this network.
                         Can only be used as a source address ..."
   127/8                "Internal host loopback address.
                         Should never appear outside a host."
   10/8                 "The Internet Assigned Numbers Authority (IANA)
   172.16/12             has reserved the following three blocks of the
   192.168/16            IP address space for private internets:"

Additionally,
a host address of all 0's indicates this computer,
a host address of all 1's indicates a broadcast to all hosts
on the same network, and
the default gateway host address is 0.0.0.1 .

By convention (RFC1700 historic)
   0/1                  class A networks
   128/2                class B networks
   192/3                class C networks
and therefore
   10/8                 1 class A private networks
   172.16/16 - 172.31/16    16 class B private networks
   192.168.0/24 - 192.168.255/24   256 class C private networks



Linksys and other standard hardware usually supports 10/8
and 192.168.settable/24 as private network addresses.

For the hosts in your subnet (10.26.10/24) to directly connect
to hosts in your DMZ (10.26.26/24) they need to be on the same
network.
For the hosts in your subnet (10.26.10/24) to connect to
your Linksys router (192.168.1/24) they need to be on the same
network.

If you changed all your hosts (and Linksys router) to a private
network address of 10/8 you would be following BCP5 "best common
practice" and should save yourself a lot of headaches.

If you need different network addresses for your DMZ and internal
zone, you could change all your hosts to 192.168.dmz/24,
192.168.internalA/24, 192.168.internalB/24, 192.168.internalC/24,
... and add 192.168.dmz/24 as a network with
the same interface (e.g. eth0) on each of your internal hosts.
This would permit internal hosts to access the dmz hosts directly,
but block internalA hosts from direct access to internalB hosts.
Be warned that some older ethernet cards and many laptop
integrated network adapters will not support
simultaneous attachment to two network addresses
(due to hardware/cmos cached netaddress and netmask).
Likewise one price of Linksys configuration ease is
a web interface limit of one external network and host address,
and one internal network address.

Hopefully helpful
-- 
Bob

  "You are responsible, forever, for what you have tamed.
   You are responsible for your rose."
     -- Antoine de Saint-Exupery

More information about the mdlug mailing list