SUMMARY: Filtered IP forwarding

From: Dusan Baljevic (dusanb@syd.csa.com.au)
Date: Wed Aug 09 1995 - 07:36:15 CDT


Date: Wed, 2 Aug 1995 08:18:48 +1000
Reply-To: VK2COT <Dusan.Baljevic>
Followup-To: junk
Message-Id: <199508012218.AA20421@sde1.syd.csa.com.au>
To: @sde1.syd.csa.com.au:sun-managers@ra.mcs.anl.gov
Subject: ADVICE NEEDED: Filtered IP forwarding

Hello,

On 2 August 1995 I asked members of this mailing list for advice on the
following matter:

PROBLEM
-------
Here is what my site needs:
   
 Net 1 ------- SS1+ ---------- Net 2
               router

Nets 1 and 2 are internal subnets of Sun workstations and PCs and do not have
direct access to Internet (so we do not have to worry about real firewall
setup).

We want to allow SOME hosts (a known set) from Net 1 to access Net 2
and the opposite (all hosts on Net 2 access to some hosts on Net 1).

SUMMARY (ABRIDGED RESPONSES)
----------------------------
From: Chris.Royle@elmail.co.uk (Chris Royle)

There is a 'lite' version of Firewall-1 which will only look after 50
internal hosts - if that's sufficient, then you could just buy
that. I'd suggest you get it from a checkpoint distributor rather than
Sun, though, since Sun appear to be well behind with their releases...

From: Yves Lepage <yves@CC.McGill.CA>

Check out this package, it will fit your needs and it is not an over kill.

http://cheops.anu.edu.au/~avalon/ip-filter.html

From: anil@kuroda.com (Anil Bharvaney)

        This may be very simplistic, but if i make the assumption that
        the subset of hosts on Net1 consist of the same hosts that:
                a). are permitted access to Net2
                b). may be accessed from Net2,

        Then, how abt:
                          -------
        Net 1 (a) ------- | SS1+|
                          | rtr |--------- Net 2
        Net 1 (b) ------- |_____|

        Where Net 1 (a) is a net subnet that consists of hosts that have
        and can be accessed from Net 2. Net 1 (b) can be your existing net
        less those hosts that have access to Net 2.

        On the SS1+, routes can be statically defined where Net 1 (a) and Net
        1 (b) have routes defined between them. And Net 1(a) and Net2 have
        a route defined between themselves.

        If you want to be really "strict" abt it, you could throw in multiple
        ethernet interfaces into the SS1+ rtr...

        I hope the thought has some merit for you..

From: jonj@inel.gov

I'm not familiar with your SS1+ router, but if I understand your dilema,
you should be able to set an access list on the router.

Packets between net1, net2 and net2, net1 will only be forwarded if you
allow.

I do this on Cisco and Network systems routers, but I haven't seen a SS1.

From: Eddie Fung <efung@cs.uq.oz.au>

We are doing something similar here. What I did was to turn off
IP Forwarding and install an ip filter. Our router is a Xyplex,
so the procedures would not be the same as your SS1.

As far as I know there are a few public domain ip filters. You
may want to install one on your SS1. If you don't feel happy to
use PD software... too bad! May be you can get one from Sun.

From: Tim Bradshaw <tfb@ed.ac.uk>

I can think of two ways:

        1. stop the router running routed, and install host routes by
           hand on it (`route add ...'): i.e use static routing tables
           on the router.

        2. stop the router running routed and use gated instead, which
           can do very hairy things with routing, if I remember (it's
           been a couple of years since I looked at it).

From: rhmoyer@mmm.com (Robert H. Moyer 733-0208)

There may be a simpiler solution to this but if you are looking for a
free packet filter there is one that I am aware of called Drawbridge (version
2.0 was just announced recently) available from Texas A&M University at
net.tamu.edu:/pub/security/TAMU. This runs on a pc so you would get an
inexpensive PC with two network cards and use it as the router instead of
you sparc.

For a free firewall solution check out the TIS Firewall Toolkit,
they have a web page for this at
http://www.tis.com/Home/NetworkSecurity/Firewalls/Firewalls.html.

From: Reto Lichtensteiger <rali@hri.com>

You're headed in the right direction tho' :-)

Disable packet forwarding and run "proxies" on the SS1 -- the proxiy
listens on the relevant port (eg 23 for telnet, 513 for rlogin ...) and,
after confirming the user's identity,, relays the packets on to the
desintation system.

TIS has a publically available version of their proxy package available
via FTP -- ftp://ftp.tis.com/

ACKNOWLEDGEMENTS
----------------
Again, this mailing list has proved to be a of great value. I thank the
following people on their efforts to help me:

   Chris.Royle@elmail.co.uk (Chris Royle)
   From: Yves Lepage <yves@CC.McGill.CA>
   From: anil@kuroda.com (Anil Bharvaney)
   From: jonj@inel.gov
   From: Eddie Fung <efung@cs.uq.oz.au>
   From: Tim Bradshaw <tfb@ed.ac.uk>
   From: rhmoyer@mmm.com (Robert H. Moyer 733-0208)
   From: Reto Lichtensteiger <rali@hri.com>

I am carefully chewcking each advice and will implement one of them in
the near future.

I also hope that this little summary will be of benefit to somebody
else (apart from me :)).

Regards from Down-Under (it is a beautiful day in Sydney),

Dusan U. Baljevic, Senior Member of Technical Staff
Computer Sciences Corporation Australia
Systems Development Environment
460 Pacific Highway
St. Leonards, NSW 2065 Australia
Email: dusanb@syd.csa.com.au



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:31 CDT