Path: utzoo!attcan!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!uakari.primate.wisc.edu!unmvax!ariel.unm.edu!ariel.unm.edu!dd From: dd@ariel.unm.edu (Don Doerner) Newsgroups: comp.protocols.tcp-ip.ibmpc Subject: Re: Help using ka9q to protect sources Message-ID: <1990Sep29.145335.17161@ariel.unm.edu> Date: 29 Sep 90 14:53:35 GMT References: <10560@pt.cs.cmu.edu> Sender: news@ariel.unm.edu (USENET News System) Organization: University of New Mexico Lines: 56 In article <10560@pt.cs.cmu.edu> nash@vi.ri.cmu.edu (Richard Nash) writes: > [...] > > So I have two questions... > > 1> Is it possible to further subclass a Class-C address. Can I have my > netmask be 255.255.255.192 so that I have 2 bits of network info and > 6 bits to specify the hosts? If so, I do I configure the ka9q net.exe > program to route between my internal networks? This could work but for a single problem: to get two subnets, you must allow two bits of subnet in your last octet. You cannot use x.y.z.0 thru x.y.z.63, you can use x.y.z.64 thru x.y.z.127, you can use x.y.z.128 thru x.y.z.191, but you cannot use x.y.z.192 thru x.y.z.255. This throws away half of your address space, but the bottom line is that you cannot use subnet 0, nor subnet 2**n-1, where n is the number of bits you allocate for your subnetting scheme. Me? I personally think this portion of the RFCs is nonsense, but that's probably because I haven't yet been able to figure out a reason that it shouldn't work. But the RFC says so, and it is the protocol specification for the protocol you have chosen... Now the next problem is that the host portion of the network address is subject to similar constraints: can neither be 0, nor can it be 2**m-1, where m is the number of bits you allocate for your host. This means that x.y.z.64 is not usable, nor is x.y.z.127, nor x.y.z.128, nor x.y.z.191. These are easier to understand: 2**m-1 is reserved as an IP brooadcast address, and 0 has historically been a broadcast in some early implementations of the protocol suite. All in all, I think you will want to apply for a second class C address. But in theory, you've got it right... > 2> Can I have the route between the secure and open networks simply disallow > any traffic except relatively inoccuous things like mail? Does the ka9q > package allow me to do this? Don't know about the KA9Q package. CISCO routers let you do this (we use a lot of them), so I suspect that there are similar access control mechanisms available in most router implementations. > I have set up the ka9q package and got it to accept both cards through > the attach command. I can ftp from the router PC to either side of the > network, but I can't seem to get through the router. From one side to > the other. Can anyone help? I can't help with this, sorry! Don Doerner, Communication Manager University of New Mexico CIRT