firewall without router

My ISP (a small operation) uses a VLAN to connect all its subscribers into a non-firewalled, public IP network. So, if I connect my computers to the network through a switch, I can have public IPs to them all, and my ISP is OK with this as long as I keep the number small. I think there is an advantage to having the public IPs, but not having a firewall is a serious security risk, at least for my Windows machine. An obvious solution is to use a router and NAT for the machines I want behind a firewall and then to have a switch "in front of" the router so that I can have keep, say, my Linux machine on the open internet. But I'd also like to have some security for the machines I keep on the public side. So here is what I would really like to have: I'd like to set up a symmetric firewall (or perhaps some other kind) between my machines and the internet, and I would like to have a switched network, so that routing and DHCP is on my ISP's router. Does anyone have any ideas for the best way to do this? I've just started looking into LEAF (Linux Embedded Appliance Firewall). Could this be configured to do what I want?

Thanks,

Tom

Reply to
Tom V
Loading thread data ...

Why so? Your Windows machine must be seriously misconfigured.

Is there any need for explicitly having a switching firewall? If not, then you could simply use a routing firewall forwarding all traffic by default with spoofing the IP address.

Reply to
Sebastian Gottschalk

So, it comes down to your ISP providing a DHCP enabled connection that gives you a public IP, and you can do what you want with it.

Any firewall appliance can do what you want, and you don't want to put your servers outside the firewall, you want them inside/behind it.

Most real firewall solutions offer a LAN network and a DMZ network that are isolated by connection and can only share if you create rules to permit sharing of ports/Ip.

So, if you had a firewall appliance you could connect your LAN computers to the LAN network and your linux computers to the DMZ network and route traffic through the firewall to each of them - no reason to expose a computer directly to the ISP/Public.

Reply to
Leythos

Actually I'd rather suggest to put the publicly accessible machines into a separate network (a DMZ) behind the router as well, and make the router a 3-legged firewall. Depending on what services you need to be accessible on which machine that may not be feasible, though. For a more comprehensive suggestion you need to give more details about what services you need to be available, and what machines they'll be running on.

I haven't set this up myself, but you can probably achieve this by using a bridging firewall. However, as I said before, I'd usually recommend against something like this unless there are some really good reasons to have it.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.