Another basic networking question.

Tim ignored_mailbox at yahoo.com.au
Thu Apr 2 15:12:29 UTC 2009


Simon Slater:
>>> When a firewall computer has 2 nics, they should be on separate
>>> subnets? Yes?

Tim:
>> That depends on how you want to use them.  If the computer sits
>> *between* two networks, then yes.

Aaron Konstam:
> Clarification of the answer above. They can be on different LANS, but do
> not have to be.

I don't see how that's a clarification...  NB:  Simon talked about a
"firewall computer."

Generally (hence my "it depends"), to use a computer as a firewall,
you'd put it between two networks.  Which may be the ISP's and yours.
Or, any two networks of any type (such as the research LAN and the
cafeteria LAN, in single business).  Even when you put a firewall on one
computer, to protect itself from the outside, it's typically carving up
the networking, albeit internally, into two halves.  Outer and inner,
with control between the two halves, and different rules for each.

It's rather difficult, if not impossible, for a computer to act as a
firewall when it's not *between* the protected network and the rest.
And trying to make either side seem to be the same subnet will be an
nightmarish exercise in configuration, and prone to networking errors.

Don't get too hung up on the name "subnet."  A subnet is a network, two
subnets in a building are two networks.  It's just a name used when a
network is carved into separate branches.

-- 
[tim at localhost ~]$ uname -r
2.6.27.19-78.2.30.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.






More information about the fedora-list mailing list