sent to the 6 internal firewall’s external interface.
sent to the 6 internal firewall’s external interface. If you don’t tell the external firewall this, however, it’s not going to happen. As the external firewall is responsible for the internal network’s Internet connectivity, the internal firewall not being able to find the internal network would mean that the internal network would be off the Internet; it could send data, but not receive any. The external firewall needs routing. Similarly, hosts on the DMZ network need to know how to reach the 172.16.0.0/24 network. In theory they could just use the default route of the internal interface of the external firewall, and the external firewall would use ICMP redirects to tell them where to go. This is messy, increases traffic and lag, and is almost impossible to debug without a packet sniffer. It also assumes that all the network equipment and servers accept ICMP redirects and the firewall will pass ICMP redirects. You should use proper routing. Let’s set up routing for the external firewall in our example. Once you can do that, routing on the DMZ network hosts will be almost exactly the same. Routing Commands All routing is managed by route(8). Route(8) has several sub-functions that allow you to view, edit, and monitor the system routing table. While route(8) has full details, the ability to view, add, and delete routes should be enough to get you started. Viewing Routes Let’s start by viewing the table with “route show.” As OpenBSD supports both IP version 4 and IP version 6, the routes for both protocols are displayed. While the IPv6 route table is very similar, we’re just going to examine the IPv4 table, and only enough of that to give you a good idea how all this works. # route show Routing tables Internet: 1 Destination 2 Gateway 3 Flags 4 default 5 isp-router.Absolut 6 UG 7 192.168.0.0 link#2 U 8 isp-router.Abso 0:2:16:bf:a1:8c UH … Every route table entry has a destination, a gateway, and flags. 1 Destinations can be hosts or networks. The 2 gateway is the place where the system should send the packet to get to that gateway. A gateway can be a host name, a network interface number, or a hardware protocol address. The flags field contains markers that indicate what sort of route this is and how the route behaves. We’ll discuss these in the next section, “Route Flags.” The first routing table entry is usually the 4 default route. By default, this system sends all packets to the machine whose host name begins with 5 “isp-router.Absolut.” If this is your network and your external firewall, you should know what machine this is! In this case, this is the router where our Internet circuit hooks in, and our default route out of the entire network. This route has the 6 flags “U” and “G.” The 7 second route is for the directly attached network 192.168.0.0. You can tell that it is directly attached by the gateway entry of “link#2″. If you look at the “ifconfig -a” output on this system, you’ll see that the second real network card is the network with 192.168.0.1/24 assigned to it. The system knows to send requests for those IP addresses out that card. Our 8 last shown route is for the machine whose name begins with “isp-router.Abso”. Here, the routing table shows the physical protocol address for the gateway address. The system knows that the default gateway is this machine, and that the machine has the physical address. “0:2:16:bf:a1:8c”. Given this information, it can route packets as it needs to. Page 175
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services