Shorewall users - Dec 2005 - DMZ on different network behind shorewall?

I am attempting to connect two networks to the internet. One network
is an internal ip range (192..) the other network is a public ip range
that is on a network different than my ISP routed address (250.5 vs
245.49 - see below).

I have one cable coming into the office (LAN-Based internet). The one
cable came with the configuration for a two-ip network. x.y.250.5
(isp) & x.y.250.6 (me) mask 255.255.255.252.

I was also given the IP address range x.y.245.49- x.y.245.54 to use
for additional hosts. I've been using the subnet mask of
255.255.255.248.

I want to be able to access the ip rage above (49-54) from the
internet without using any NAT - ie full DMZ. As it stands with the
OSX configuration below I *can* do this. However, I want more security
for the internal hosts, more reliability than the OSX box gives me, to
clean up the mess below, and ideally add some QOS measures to ensure
VOIP gets through first.

*** THE ??

Is shorewall the best program to allow this type of setup?
What are the specific files I need to edit, and what lines of text
need to be present?

*** END ??

-nl

I've got an OSX 10.4 Server computer presently, moving to a CENTOS 4.2
computer with shorewall 3.0.2

The osx computer crashed when acting as a router & doesn't have an
easy way to forward ports… so I use an external router. However this
device sits inline with the switch, meaning I plug port 2 on the
switch into the WAN of the router and port 3 of the switch into the
LAN. Crude and wrong but works. Hence this request for correction…

-----------

Present configuration (follow the packet down)

1. Internet cable (x.y.250.5 mask 255.255.255.252)
2. Onboard Ethernet OSX 10.4 Server
         if x.y.250.6  mask 255.255.255.252
         Gateway set as if of router (x.y.250.5)
         (NAT "on", Forward only checked)
3. PCI Ethernet
         x.y.245.49 mask 255.255.255.248
         virtual if 192.168.2.3 mask 255.255.255.0
4. Unmanaged switch
5a. generic router
         (external if x.y.245.50 mask 255.255.255.248)
         (internal if 192.168.2.1 mask 255.255.255.0)
          DHCP 192.168.2.10-250
          Gateway set as if of PCI slot (x.y.245.49)

5b. computer x.y.245.51 mask 255.255.255.248
5c/6. computer 192.168.2.1 mask 255.255.255.0

On Monday 12 December 2005 13:32, Niles Leuthold wrote:
>
> Is shorewall the best program to allow this type of setup?
> What are the specific files I need to edit, and what lines of text
> need to be present?
This is likely to be a pure routing problem that really has nothing to do with 
Shorewall or any other packet filter. Shorewall will work fine in this 
environment though.

If your ISP is routing  x.y.254.49 - x.y.245.54 via x.y.250.6 then you just 
need to configure your DMZ interface to use the appropriate subnet. You can 
use the three-interface sample configuration provided that you remove the DMZ 
entry from /etc/shorewall/masq and that you use ACCEPT rules from net->dmz 
rather than DNAT rules.

For additional information, see the Shorewall Setup Guide 
(http://www.shorewall.net/shorewall_setup_guide.htm).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Monday 12 December 2005 14:04, Tom Eastep wrote:
>
> This is likely to be a pure routing problem that really has nothing to do
> with Shorewall or any other packet filter. Shorewall will work fine in this
> environment though.
>
> If your ISP is routing  x.y.254.49 - x.y.245.54 via x.y.250.6 then you just
> need to configure your DMZ interface to use the appropriate subnet.
Such as x.y.254.49/29.

	IP address x.y.254.49
	Netmask 255.255.255.248

The systems in the DMZ will have addresses 254.50, 254.51, etc and will 
specify 254.49 as their default gateway.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key