[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Advice Please - Extending a Network



Philip,

If you want to run two seperate subnets then you'll need to update various
bits of config.  I'm going to be a bit pathetic and not describe it very
fully as I've got a cold (!) and a major server crash to handle today!
Sorry if this isn't as good as it could be.

I am assuming that you are running a DHCP server that serves IP addresses
and updates DNS for one simple subnet at present.

Before you start, when the new card is in you'll use YaST2 to configure the
new card with an appropriate IP address.  If you decide to use the
192.168.10. subnet for the new NIC then 192.168.10.1 might be a good
suggestion for the new NIC IP address.

Firstly DHCP.  Decide on a new subnet.  Probably something on a different C
class, like 192.168.10.xxx would be a good idea, just for simplicity.  Add
another entry to dhcp.conf for this new subnet.  Given that you worked out
how to do the first DHCP subnet in dhcp.conf I reckon you can work out how
to add another?

Second DNS.  Add new zone data for the new subnet.  You'll probably be using
some made up domain at the moment with a zone file for this.  You should
also have a reverse lookup zone file for the existing 192.168.0 subnet.
Copy this to create a new reverse lookup zone file for the new (e.g.
192.168.10.) subnet.  Modify named.conf accordingly too, make sure that the
new zone definition allows update from localhost (or whatever address you've
configured) so that DHCP can update it dynamically.

Those two bits should be easy ish for you.

SuSEfirewall2, you just add the new Ethernet NIC device (probably eth2?) to
the FW_DEV_INT line where the existing internal NIC (probably eth1?) is.
Also make sure to add the new subnet to FW_MASQ_NETS.

I'm not sure about squid.  If any changes are needed to support two subnets
instead of one then they should be fairly obvious.

Finally and the most nasty of all is Samba and WINS.  If you have only win
2k/XP clients then you are probably fairly home free.  You should be able to
ping clients on one subnet from the other and vice versa and should then be
able to see file shares/printers using the usual \\pc2\sharename "UNC" type
notation in the Windows Explorer Address Bar box, luckily for you you can
thereby bypass the horrid NetBIOS and WINS mess.  I'm not sure how Network
Neighbourhood works in that case (it probably just doesn't) but that's
really just a user training issue in the end (arguably) and not worth the
hassle.

However if you've got Win 3.1, Win 98, Win ME, Win NT 4.0 or likewise
clients on *any* of your connected PCs they won't be able to network without
the dreaded NetBIOS over TCP/IP ("NBT"), worse luck. :(

In that case the best thing to do is get DHCP to set all of them up as
"hybrid" nodes (use "man dhcp.conf" for info), with a NBNS ("WINS") server
at ... (your Linux box IP address on *that* subnet being configured).  Then
adjust smb.conf (my preferred method is using SWAT over a webbrowser if it's
running) so that "wins support = yes".  Next make sure all PCs are in the
same WORKGROUP, restart Samba, DNS, DHCP, SuSEfirewall2 and all MS clients
and pray.

If you network the two segments together at an ethernet level you'll save
all that hassle, however!  Mind you, arguably, you'll learn less in the
(possibly slightly painful) process... :)

Regards,

Carl Peto
Linux Server Support
Bookman Associates

----- Original Message ----- 
From: "Philip B Cook" <philipbcook@xxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Sunday, January 11, 2004 8:03 AM
Subject: Fw: [suse-security] Advice Please - Extending a Network


>
> > If the hardware solutions described are not an option then you have two
> > options using Linux (i) seperate subnets or (ii) a bridge.  The latter
> > consists of extra modules in the kernel which effectively turn your box
> into
> > a switch, thus saving the expense, and all LAN traffic goes across both
> > segments.  Alternatively split the LAN into two subnets, have two IP
> > addresses, one for each NIC and have DHCP serve different IP addresses
to
> > hosts on each segment.  This is more traditional in some ways but can be
> > annoying for users, depending on what applications they use.  For
instance
> > if they are SMB clients that want to browse a "Network Neighbourhood"
then
> > you'll need to implement a WINS server (and possibly a domain server) to
> > keep the two subnets talking to each other.
> >
> > Carl Peto
> > Linux Server Support
> > Bookman Associates
>
> It seems to be quite hard to find an 8 port hub with a coax connector,
> though I will keep looking.
>
> In the meantime can you expand on what I need to do following your (i)
> seperate subnets suggestion.
>
> I am already running  ...
>
> 1) DHCP(providing IP addresses to the local machines and also updating the
> DNS zone files automatically)
> 2) DNS (administering the local domain and forwarding to my Cable
Company's
> DNS servers)
> 3) SuSEFirewall2 (blocks everything inbound, there are NO services
> accessible from the internet other than those initiated by the local
network
> machines)
> 4) Samba to support Windows Clients
> 5) Squid
>
> so I think I have all the parts running I need, but need some pointers on
> how to add the extra interface into the settings for each.
>
> Thanks everyone for your advice.
>
> Philip
>
>
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here