6. Advanced Configurations

There is one configuration I would like to go over before wrapping this document up. The one I have just outlined will probably suffice for most people. However, I think the next outline will show a more advanced configuration that can clear up some questions. If you have questions beyond what I have just covered, or are just interested in the versatility of proxy servers and firewalls, read on.

6.1 A large network with emphasis on security

Say, for instance, you are the leader of the Milwaukee 23rd Discordian Cabal. You wish to network your site. You have 50 computers and a subnet of 32 (5 bits) IP numbers. You have various levels of access. You tell your disciples different things according to each level. Obviously, you would want to protect certain parts of the network from the disciples that are not in that level.

Disclaimer: I am not a member of the Discordians. I do not know their terminology, nor do I really care. I am using them as an example only. Please send all flames to

The levels are:

1. The external level. This is the level that gets shown to everybody. Basically, this is the ranting and raving about Eris, Goddess of Discord, and all the rest of the drivel.
2. Sage This is the level of people who have gotten beyond the external level. Here is where you tell them that discord and structure are really one, and that Eris is also Jehovah.
3. Adept Here is where the real plan is. In this level is stored all the information on how the Discordian Society is going to take over the world through a devious, yet humorous, plan involving Newt Gingrich, Wheaties Cereal, O.J. Simpson, and five hundred crystals, all erroneously marked "6.5 MHz".

The Network Setup

The IP numbers are arranged as:

• 1 number is 192.168.2.255, which is the broadcast address and is not usable.
• 23 of the 32 IP addresses are allocated to 23 machines that will be accessible to the internet.
• 1 extra IP goes to a linux box on that network
• 1 extra goes to a different linux box on that network.
• 2 IP #'s go to the router
• 4 are left over, but given domain names paul, ringo, john, and george, just to confuse things a bit.
• The protected networks both have the addresses 192.168.2.xxx

Then, two separate networks are built, each in different rooms. They are routed via Infrared Ethernet so that they are completely invisible to the outside room. Luckily, infrared Ethernet works just like normal Ethernet (or so i think), so we can just think of them like normal.

These networks are each connected to one of the linux boxes with an extra IP address.

There is a file server connecting the two protected networks. This is because the plans for taking over the world involves some of the higher sages. The file server holds the address 192.168.2.17 for the sage network and 192.168.2.23 for the adept network. It has to have different IP addresses because it has to have different Ethernet cards. IP Forwarding on it is turned off.

IP Forwarding on both Linux boxes is also turned off. The router will not forward packets destined for 192.168.2.xxx unless explicitly told to do so, so the internet will not be able to get in. The reason for turning off IP Forwarding here is so that packets from the sage network will not be able to reach the adept network, and vica versa.

The NFS server can also be set to offer different files to the different networks. This can come in handy, and a little trickery with symbolic links can make it so that the common files can be shared with all. Using this setup and another Ethernet card can offer this one file server for all three networks.

The Proxy Setup

Now, since all three levels want to be able to monitor the network for their own devious purposes, all three need to have net access. The external network is connected directly into the internet, so we don't have to mess with proxy servers here. The adept and sage networks are behind firewalls, so it is necessary to set up proxy servers here.

Both networks will be setup very similarly. They both have the same IP addresses assigned to them. I will throw in a couple of parameters, just to make things more interesting though.

1. No one can use the file server for internet access. This exposes the file server to viruses and other nasty things, and it is rather important, so its off limits.
2. We will not allow Sage access to the World Wide Web. They are in training, and this kind of information retrieval power might prove to be damaging.

So, the sockd.conf file on the sage linux box will have this line:

deny 192.168.2.17 255.255.255.255

and on the adept machine:

deny 192.168.2.23 255.255.255.255

And, the sage linux box will have this line

deny 0.0.0.0 0.0.0.0 eq 80

This says to deny access to all machines trying to access the port equal (eq) to 80, the http port. This will still allow all other services, just deny Web access.

Then, both files will have:

permit 192.168.2.0 255.255.255.0

to allow all the computers on the 192.168.2.xxx network to use this proxy server except for those that have already been denied (ie. the file server and Web access from the sage network).

The sage sockd.conf file will look like:

deny 192.168.2.17 255.255.255.255

deny 0.0.0.0 0.0.0.0 eq 80

permit 192.168.2.0 255.255.255.0

and the adept file will look like:

deny 192.168.2.23 255.255.255.255

permit 192.168.2.0 255.255.255.0

This should configure everything correctly. Each network is isolated accordingly, with the proper amount of interaction. Everyone should be happy. Now, look out for your 6.5 MHz crystals