firewall without router

My ISP (a small operation) uses a VLAN to connect all its subscribers
into a non-firewalled, public IP network. So, if I connect my
computers to the network through a switch, I can have public IPs to
them all, and my ISP is OK with this as long as I keep the number
small. I think there is an advantage to having the public IPs, but not
having a firewall is a serious security risk, at least for my Windows
machine. An obvious solution is to use a router and NAT for the
machines I want behind a firewall and then to have a switch "in front
of" the router so that I can have keep, say, my Linux machine on the
open internet. But I'd also like to have some security for the
machines I keep on the public side. So here is what I would really
like to have: I'd like to set up a symmetric firewall (or perhaps some
other kind) between my machines and the internet, and I would like to
have a switched network, so that routing and DHCP is on my ISP's
router. Does anyone have any ideas for the best way to do this? I've
just started looking into LEAF (Linux Embedded Appliance Firewall).
Could this be configured to do what I want?

Thanks,

Tom

Re: firewall without router

Post removed (X-No-Archive: yes)

Re: firewall without router

Post removed (X-No-Archive: yes)

Re: firewall without router

Tom V wrote:
> My ISP (a small operation) uses a VLAN to connect all its subscribers
> into a non-firewalled, public IP network. So, if I connect my
> computers to the network through a switch, I can have public IPs to
> them all, and my ISP is OK with this as long as I keep the number
> small. I think there is an advantage to having the public IPs, but
> not having a firewall is a serious security risk, at least for my
> Windows machine. An obvious solution is to use a router and NAT for
> the machines I want behind a firewall and then to have a switch "in
> front of" the router so that I can have keep, say, my Linux machine on
> the open internet.

Actually I'd rather suggest to put the publicly accessible machines into
a separate network (a DMZ) behind the router as well, and make the
router a 3-legged firewall. Depending on what services you need to be
accessible on which machine that may not be feasible, though. For a more
comprehensive suggestion you need to give more details about what
services you need to be available, and what machines they'll be running
on.

> But I'd also like to have some security for the machines I keep on the
> public side. So here is what I would really like to have: I'd like to
> set up a symmetric firewall (or perhaps some other kind) between my
> machines and the internet, and I would like to have a switched
> network, so that routing and DHCP is on my ISP's router. Does anyone
> have any ideas for the best way to do this?

I haven't set this up myself, but you can probably achieve this by using
a bridging firewall. However, as I said before, I'd usually recommend
against something like this unless there are some really good reasons to
have it.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich