Firewall Variations - Introduction and Index

Firewall variations fall broadly into two categories: "supported" and "unsupported". Unsupported configurations are presented (for those who have the necessary facility with linux to configure them without step-by-step instructions) because they do not require NAT and therefore may be useful in certain situations.

Index to Supported Firewall Variations

Index to Unsupported NAT-free Variations

Unsupported means that:

  1. These configurations may not have received thorough testing.
  2. Generated rules (or other files) may need to be understood or manually edited.
  3. Some unusual requirements, restrictions, and configurations may be involved.
  4. Variation #2 may not work with Windows clients at all.
  5. Variation #3 works well with Windows clients but requires a moderate amount of extra configuration.
  6. Variation #3v similar to Variation #3 but uses VTUN which may be preferable to PPTP on Linux/Unix clients.

Index to Deprecated Firewall Variations

Supported Firewall Variations In Detail

Variation #e10: Add an Extra 10. Network for Masquerading NAT

Variation #ch10: Changing the Primary 10. Network

You do not need to do this to have multiple Logical Firewalls on the same subnet. The main reason to do this is to prevent the clients of two Logical Firewalls on the same physical network from being able to communicate with each other directly on the same default 10. network.

There is currently no explicit rule-generator variation to do this, however you can make a one line change to a copy of "gui-paste" to achieve the same result. (It will make a global substitution in the rule generator output as you do the gui-paste).

Here are the detailed steps you'd need to take:

  1. Choose a different 10. network. Please use one which begins with "10.0." (in this example it is "10.0.123".

  2. On the firewall run:
    	cp -p /usr/local/bin/gui-paste    /usr/local/bin/my-gui-paste
    	ln -s /usr/local/bin/my-gui-paste /usr/local/sbin/gui-paste
    	hash -r
    
    	echo local/bin/my-gui-paste >> /usr/local/bin/uw-restore.local
    	echo local/sbin/gui-paste   >> /usr/local/bin/uw-restore.local

    This will make a copy of "gui-paste" in "my-gui-paste" and add "my-gui-paste" to the list of local files which will be carried forward by "uw-restore" when you do an upgrade of the firewall. A link is also created so that if you type "gui-paste" by mistake, you will still get "my-gui-paste".

  3. Add the line below (with numbers suitably modified) to "my-gui-paste" just after the line with the comment: "convert CRLF to LF" (which is currently line 113 of "gui-paste").
    	{gsub(/10\.95\.123\./, "10.0.123.")}  # change primary 10 net 

    Be sure to change all three numbers before the comma to match your default 10. network.
    The example above would change network "10.95.123" to network "10.0.123".

  4. Generate your firewall rules with the rule generator and copy/paste them into "my-gui-paste".

  5. Confirm things are working properly and save your work by running "save-config" on the firewall.

Variation #sNIC: Adding a Second Network Interface Card (a Physical Firewall)

Variation #nm30: Each Client is Isolated on its Own Tiny (2-bit) Subnet

Variation #nm29: Clients Are Isolated on Tiny (3-bit) Subnets

Variation #4: A True Filtering Bridge

Unsupported Firewall Variations In Detail

Variation #1: Almost a Filtering Bridge

Variation #1a: Similar to #1 above but Without Subnet Partitioning

Variation #2: Almost a Logical Filtering Bridge

Variation #3: A Logical Firewall Using VPN Technology Instead of NAT

Variation #3v: A NAT-Free Logical Firewall Using VTUN Instead of PPTP (For Unix/Linux Clients)

Deprecated Firewall Variations In Detail

Variation #172: Project 172 NAT gateway

(This variation is no longer recommended at UW because Project 172 NAT is now automatically provided at the campus border.)

Variation #e10 and #172 in Combination

(This variation is no longer recommended at UW because Project 172 NAT is now automatically provided at the campus border.)

For your conveineice, if you already have a logical firewall, you can upload its "tables" file into the variation webforms above and you'll only need to manually enter information in the new fields on the opening screen.


Corey Satten
Email -- corey @ u.washington.edu
Web -- http://staff.washington.edu/corey/
Date -- Mon Jan 28 12:27:55 PST 2008