May 02, 2001, 6:50 PM —
Saved by the bell. Or maybe that should be: failed by the bell. I had intended to write about the new firewall I started working on two weeks ago (see Resources for a link), but the deadline is here and I am still defenseless. There has to be an easier way than the paths I've been down. I've done tons of things wrong so far, but the real problem is that I don't seem to be able to figure out what I'm doing wrong now, and that keeps me from getting the firewall to work.
The goal seemed simple enough: install a firewall between my router and my LAN while preserving the ability to access my Web and mail servers, which would sit on the LAN protected by the firewall. I built a box. I stuck in two NICs. I grabbed the copy of Stormix Firewall that had been gathering dust, while uninvited guests began housekeeping on my server (see Resources for a link). Then I began a long journey, most often of the pattern "one step forward, two steps back." I have made some progress, but not enough to get me where I need to go. I sit here, my dweebs, munching on a slice of humble pie. Help me if you can.
Here is the topography:
ISP
|
Router
xxx.xxx.xxx.3
|
etho
xxx.xxx.xxx.4
Firewall
eth1
xxx.xxx.xxx.7
|
Hub
---------------------------------
| | |
xxx.xxx.xxx.5 xxx.xxx.xxx.6 xxx.xxx.xxx.?
Server Workstation Workstation
Installation of Storm Linux was problem-free except for one difficulty that I ran into last year: one of my NICs required an RTL8139 driver. Storm Linux, like Debian Potato when it first came out, recognized the card but didn't include the driver. Hey, no problem. I had been down this path before, so I simply downloaded newer drivers from the Stormix site and got the one I needed.
The very first thing I did wrong was forget the lesson I learned so many years ago about null modems. I can't remember all the times I've explained to newbies what happens when both ends of a direct connection are talking and listening on the same pins of a serial connection. A null modem reverses those connections and allows the pair to talk to each other as if a modem were in place. The folks on my local LUG mailing list enjoyed reminding me of that when I posted a plea for help. So I went shopping and got a CAT-5 crossover cable that would properly reverse the connections for the direct Ethernet connection between the router and the firewall.
I believed that would put an end to all of my problems. Little did I know what lay ahead. I was able to talk to the Ethernet from the firewall machine, but no matter how I tuned and configured things, I could not get to the Internet from the LAN, or vice versa. I kept returning to a troubling statement in the Storm Firewall User Guide: "You will not be able to bridge two networks together if they share the same range of internal addresses." I wondered if that applied to me, since the router and the computers were all part of the same network address space. All the example scenarios in the User Guide were based on using IP masquerading, meaning the machines on the LAN would be invisible to the outside world. A query to Stormix support went unanswered. I'm afraid the rumors about Stormix closing up shop have finally proved true.
