SUMMARY: Internet Gateway Config - Illegal IP Addresses

From: STSX - Rob Whitener (whitener@Esy.COM)
Date: Wed May 19 1993 - 20:52:02 CDT


I sent this out Friday, but never saw it come accross, so here it is again.

Original Question:

>
> Sun-Managers,
>
> How do you set up an Internet gateway, which hides an internal network of
> invalid IP addresses? It is also desireable for internal hosts to be mailable
> from the Internet.
>
> I've seen people list there entire network of invalid IP addresses in DNS.
> To me this doesn't seem to smart, but, I haven't heard of any problems.
>
> I would think that Another solution would be to not list internal hosts in
> DNS and configure Sendmail to look at the /etc/hosts file for local delivery.
> With this, you might want to put in a wildcard MX record so that internal
> hosts could be hit from the Internet.
>
> I'm sure that there are other solutions. Please let me know what ideas you
> might have, besides getting valid IP addresses for the internal hosts. That
> one is out of my control.
>
> Thanks in advance,
>
> Rob
>

Thanks to all who responded. The way that I'm attempting to proceed is your
normal DNS setup: a top level Name Server with sub-domains. The Internet
gateway(firewall) listing only the subdomain Name Servers and the sub-domain
Name Servers listing all the internal hosts. This minimizes the number of
Illegal IP numbers advertised to the Internet(the only ones being the sub-
domain Name Servers). Each of the sub-domain Name Servers will have MX
records pointing to the gateway.

Also, there is a mailing list called Firewalls. The first message below
tells how to get more info or subscribe(Thanks Manish Bhatia).

Here are the responses that I received:

>---------------------------------------------------------------------------<

>From brent@GreatCircle.COM Thu May 13 21:07:04 1993

# I was told that this is a mailing list for Internet Firewall administrators,
# is this true? Please send me some info.

You can get thumbnail descriptions of the two mailing lists by sending
a message containing the following in the body (not the subject line)
to Majordomo@GreatCircle.COM:
 
        info firewalls
        info firewalls-digest
 
You can subscribe to either list by then sending one of the following
to Majordomo@GreatCircle.COM:
 
        subscribe firewalls
    or subscribe firewalls-digest
 
-Brent (Manager of Firewalls and Firewalls-Digest)

--
Brent Chapman                                   Great Circle Associates
Brent@GreatCircle.COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

>---------------------------------------------------------------------------<

From: john@oncology.uthscsa.edu (John Justin Hough)

Rob,

This is the way my network is setup. I'm a quasi-legal subnet off of a class B network.

All my mail is routed through the mail server who uses the mx version of sendmail to resolv external host names. All the mail clients use the subsidiary sendmail and a cf derived from sendmail.subsidiary.cf and have /var/spool/mail nfs mounted from the server. The "from:" lines are remap to just the domain.

The other thing you need on your gateway host is to run proxyarpd so your other hosts can get out on the internet.

Without proxyarpd, SunOS 4.1.3 really does not understand subnets so the external host will get packet with a workstations ip address and your gateways ether address and when the target asks whose ip is this your gateway won't do anything because its not him, that is once again without proxyarp. But, if you don't want them to get out - don't run proxyarp. The packets get sent but nothing comes back so your users will give up.

The last thing you have to do is assign names to the interfaces. So, in hostname.le0 have my systems hostname, and in hostname.le1 is the the fully-qualified name the external network know me by and in defaultdomain we have the name of my subdomain.

The last thing is routing. Routed is turned off everywhere. On the non-gateway host you put the default route as your gateway (In 4.1.3 just put the name in a file called /etc/defaultrouter otherwise modify the rc.local file), and on your gateway the defaultrouter is the gateway that is external to your network - the gateway to the internet.

Lets see. Oh you've got to adjust you netmasks so that the gateway can figure out what internal and external. Likewise on each non gateway host the netmask determines what packets they forward through your gateway and what they do not.

john

>---------------------------------------------------------------------------<

From: Mike Bauer <mikeba@sa-cgy.valmet.com>

Rob,

I'm about to embark on just such a setup for my own network. We have some sites WAN'd together, all with "invalid" IP addresses and I have come up with the following (rough) solution. I'd like to know if you get any other solutions, since I have not finalized my plans and will gladly incorporate any suggestions which improves my network.

Basically, put one machine on the invalid network and give it a valid, registered address. A router is set up to only allow IP traffic between the internet and the valid-address host. MX records will then point to the valid address. Sendmail on the valid address machine will be set up to forward to mailbox servers, etc. on the internal network. The downside is that my internal machines can not see the internet, so anyone who wishes to use the internet must rlogin to the valid machine, then go to the internet. Another down side is that my valid machine must have it's routing tables set up so that packets destined for the invalid network really go to the internal network, not out to the internet. This means that I can not see internet addresses corresponding to my invalid addresses.

Mike Bauer (mikeba@sa-cgy.valmet.com)

>---------------------------------------------------------------------------<

From: edb@scic.intel.com (Ed Bunch)

You might consider running two DNS servers. One for the outside world to look at and one for internal use. The server for Internet can even be configured to use the internal DNS server so that he can map all your host names. However you asked about having hosts SMTPable but not listed. The fact is you will have to list the host in DNS on the Internet if you want the Internet to be able to do anything with that host. Generally folks setup gatways that they list and keep secure.

Ed >---------------------------------------------------------------------------<

From: alynn@maxim.com (Andy Lynn (Teratec Systems, Inc.))

We do this using:

1) Sendmail-IDA (with it's HIDDENNET/HIDDENHOST options, and aliasing)

2) resolv+ extensions to bind.4.8.3 (to control the lookup behavior of gethostbyname()) 3) running INN for NetNews support (all internal hosts use NNTP news readers)

Our "firewall" system acts as the AlterNet gateway and the NetNews vendor; mail is passed to/from an internal net mail server. We use MorningStar's PPP to talk via V32.bis to AlterNet; very nice package which provides packet filtering options (so we can prohibit remote rlogin/telnet/ftp/etc.).

Typically the firewall is the only officially numbered host. But occasionally we bring up one of the internal workstations as an "official" address so we can do Gopher/WAIS/etc.

Oh, and I forgot my Mac at home (from which I type this to you), from which I run PPP or SLIP. It's "official" too...

Hope this gives you a starting point. Have fun!

...Andy Lynn

>---------------------------------------------------------------------------<

From: blu@jericho.mc.com (Brian Utterback)

We generally list our entire internal network. The reason we chose this method was primarily ease of use: We allow individual users to start TCP connections from within our network, and most of the fashionable FTP sites do a reverse look up on the IP address and get all snooty if you are not in the social (IP) register.

Since we have several DNS aware terminal servers this also automatically takes care of keeping these up to date. If we wanted to use DNS internally but keep the real addresses hidden we would have to run to parallel DNS systems.

If you are interested in the issues involved, you should probably get the firewalls mailing list archives. The ways and wherefores of this and many other important related issues have been debated rather vigorously there.

The archive is available by anon-ftp from ftp.greatcircle.com in file pub/archive/firewalls.

Brian Utterback blu@mc.com Manager Technical Networks Mercury Computer Systems, Inc. (508) 256-1300x168 199 Riverneck Road (508) 256-3599 FAX Chelmsford, MA 01824 Always mount a scratch monkey.

>---------------------------------------------------------------------------< From: manish@prentice.com (Manish Bhatia)

Rob, Could you please post the summary for the question you had asked ? Also, you might want to ask the same question to this mailing list - Firewalls-Digest@GreatCircle.COM Thanks. - Manish Bhatia. Systems Administrator _____________________________________________________________________________ Paramount Publishing Email : manish@prentice.com 270 Sylvan Avenue, Phone : (201)894-6735 Englewood Cliffs, NJ 07632 Fax : (201)894-6739

>---------------------------------------------------------------------------<

-- Robert Whitener Email: whitener@Esy.COM E-Systems, Garland Division Voice: (214) 205-8089 1200 S. Jupiter Road, Garland, Texas 75042 FAX: (214) 272-8144



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:52 CDT