[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1952.0. "Urgent help configuring AFWU with super-netting" by GNOMO::JOSEF (Jose Fernandez. ACT Spain) Mon May 12 1997 10:36

    
    Hi,
    
    My customer is CIEMAT, spanish company related with 
    the CERN.
    
    I've been involved in this issue as a TCP/IP knowledgeable
    but I don't know almost anything about the AltaVista
    Firewall. The problem has to do with TCP/IP config
    in a Firewall scenario.
    
    The scenario previous to the Firewall installation
    is as follows:
    
                                      CERN ROUTER
                  130.206.207.2       130.206.107.1  +---------------+
    +------------+255.255.255.0       255.255.255.0 /                 \
    |            |-----------/---------------------+    CERN           +
    |ROUTER      |                                  \   NETWORK       /
    |            |                                   +---------------+
    +------------+                                     NETWORK 130.206
          | 130.206.40.5    130.206.11.5
          | 255.255.255.0   255.255.255.0
    0----+-+---------------------+----------------0
           |                     |     CIEMAT NETWORK
           |                     |     
     +------------+       +--------------+
     | VAX'S      |       | VAX'S        |
     | PC'S       |       | PC'S         |
     | OTHER      |       | OTHERS       |
     +------------+       +--------------+
     130.206.40.11        130.206.11.6
     255.255.0.0          255.255.0.0
    
    In this scenario, they are using "supernetting" 
    (adresses 130.206.40.x or 130.206.11.0 with mask 
    255.255.0.0 instead of 255.255.255.0) to
    comunicate directly the systems within the CIEMAT NETWORK,
    so they they don't need to go thru the router to 
    connect from a PC to a VAX, etc. (BTW, this is only
    an example, they not only have networks 130.206.11
    and 130.206.40, but several more like these).
    In the other hand, they connect to the systems
    in the CERN (Network 130.206) thru the router using ARP PROXY.
     
    Two weeks ago, they received the visit of a hacker
    and decided to install a firewall urgently. So, they
    call us and the firewall experts started to work.
    
    The scenario with the firewall is as follows:
    
                                      CERN ROUTER
                  130.206.207.2       130.206.107.1  +---------------+
    +------------+255.255.255.0       255.255.255.0 /                 \
    |            |-----------/---------------------+    CERN           +
    |ROUTER      |                                  \   NETWORK       /
    |            | 130.206.12.5                      +---------------+
    +------------+ 255.255.255.0                      NETWORK 130.206
          | 130.206.40.5    130.206.11.5               
          | 255.255.255.0   255.255.255.0
    0----+-+-------------------------------------0
                | 130.206.12.2       
                | 255.255.255.0       
         +------------+ 
         | ALPHA UNIX | 
         | ALTAVISTA  | 
         | FIREWALL   | 
         +------------+ INTEFACE ADDRESSES?
                |       INTERNAL ADRESS(ES)??
                |       MASK(S)??
    0------+----+----------------+----------------0
           |                     |     CIEMAT NETWORK
           |                     |
     +------------+       +--------------+
     | VAX'S      |       | VAX'S        |
     | PC'S       |       | PC'S         |
     | OTHER      |       | OTHERS       |
     +------------+       +--------------+
     130.206.40.11        130.206.11.6
     255.255.0.0          255.255.0.0
    
    The problem arised when trying to configurate a 
    scenario similar to the previous one to go from the CIEMAT
    NETWORK to the CERN Network, because the
    Firewall and the TCP/IP for Unix don't support the
    ARP PROXY feature (said by the firewall experts).
    
    After this issue, we have tried different configura-
    tions following the TCP/IP rules and even we have 
    installed a router in the CIEMAT NETWORK without 
    success. In all cases, some crazy thing have
    happened in the Unix system with the firewall inside
    (Routing tables that change without sense, etc.).
    
    The firewall experts maintain that the only solution
    is to change the mask of the systems within the
    CIEMAT NETWORK from 255.255.0.0 to 255.255.255.0,
    but this sounds strange to me. I know at least
    10 other customers using this kind of supernetting
    trick in their networks and I don't think that they
    have to change they networks when they will install
    a firewall.
    
    I guess there are in the world others networks
    with a scenario similar to this and they should
    have a typical configuration recomended for them.
    I mean, Netwok addresses for the firewall ethernet
    conected to the blue network, internal addresses,
    routes (if any), etc.
    
    Can you please help me with this firewall scenario?
    I can give you more details if needed.
    
    Thanks in advance,
    
    Jose Fernandez
    DTN 874-4415
    NSIS Spain

T.R	Title	User	Personal Name	Date	Lines
1952.1		BIGUN::nessus.cao.dec.com::Mayne	A wretched hive of scum and villainy	`Mon May 12 1997 19:37`	4
	Questions about supernetting and/or ARP proxies might be better asked in the UNIX conference (or maybe Internet Tools) if noone answers here. PJDM