netbsd-users: Re: two internet connections

Subject: Re: two internet connections
To: Thomas Michael Wanka <Tom@Wanka.at>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 06/17/2001 02:59:51
On Sun, Jun 17, 2001 at 05:23:39AM +0200, Thomas Michael Wanka wrote:
> Hi,
> 
> I am looking for hints and suggestions to following situation:
> 
> A customer has two permanent internet connections, the first is a 
> cable modem with one fixed IP, a server attached to it with a 
> second network card to do nat for one workstation. The second is a 
> 2MBit SDSL line with 16 IPs and about 5 servers on it.
> 
> I wanted to have an internal connection to all these machines, so I 
> thought the best way is to hook the second interface of the single 
> server and the workstation and the 5 servers and the SDSL router 
> to the same switch and give the 5 servers a second IP from the 
> reserved range in the same subnet as the workstation and the 
> second interface of the single server. That way they could internally 
> reach each other without having to loosen the IP filter rules on the 
> single server and the SDSL router.
> 
> Anything I missed or should be aware of?

First, make sure that none of the machines that will have two IPs (one
public, from your SDSL block, one private from your NAT block) route (or
sourceroute) between the two networks.

Second, You cannot protect yourself from certain abuse by your SDSL
provider in this config - since the workstation must accept packets on a
single network card, if malicious external party 'A' can manage to send
some packets to your ethernet Mac, with the correct destination IP, you
will accept them. This should generally be possible only by someone on
the same ethernet segment though, or someone who can reconfigure a
server/router on your segment. This includes your SDL ISP in your config
- a risk you'll have to evaluate for yourself.

Third, you don't have a traditional firewall with this config - since
you have lots of machines out in the open, with nothing in front of them
- even if they're all NetBSD systems with good security capabilities,
you're giving yourself a lot more opportunities to make mistakes.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me