Hi List, I''m quite new to shorewall / firewalls and need to protect a bigger network with various webservers... Even though I studied the howtos / manuals I can''t get to the solution as NAT/SNAT/DNAT is not really easy for me. I face the situation that I run two webservers on a DMZ and several webservers for testing purposes in a kind of extranet. On my firewall I have five interfaces (net, dmz, lan, extranet, lan2). All "internal" hosts have a private IP and the firewall has only one public IP. On my DMZ I also rum two DNS servers. Now I need to understand how to configure the firewall to accept incomming connections, ask DNS for the internal IP and foreward (?) the request to the webserver in charge. Is this possible with NAT / DNAT? How to create the rules accordingly... some hint''s are highly appreciated Mat
The easiest way to do this would be to have a ''tiered'' web server farm, so the following happens: Request comes into firewall Firewall forwards packet to tier 1 webserver, which is configured to redirect the packets dependent on URL. Packets are passed to the correct internal webserver. Another way is to do something similar, but make the lowest loaded webserver and the tier 1 server one and the same, i.e. packets destined for the URL webserver1 (which also does the redirecting) stay on that server, whereas any requests to webserver2 are re-directed accordingly. The downside to this is, that if you loose webserver1 for any reason you lose both web servers (but this can be rectified with a little re-configuration), but then, in example 1, if you lose the tier 1 server you loose both servers also. HTH Phil On Mon, 2006-01-30 at 17:07 +0100, md wrote:> Hi List, > > I''m quite new to shorewall / firewalls and need to protect a bigger > network with various webservers... > > Even though I studied the howtos / manuals I can''t get to the solution > as NAT/SNAT/DNAT is not really easy for me. > > I face the situation that I run two webservers on a DMZ and several > webservers for testing purposes in a kind of extranet. On my firewall > I have five interfaces (net, dmz, lan, extranet, lan2). > > All "internal" hosts have a private IP and the firewall has only one > public IP. > > On my DMZ I also rum two DNS servers. > > Now I need to understand how to configure the firewall to accept > incomming connections, ask DNS for the internal IP and foreward (?) > the request to the webserver in charge. > > Is this possible with NAT / DNAT? > > How to create the rules accordingly... > > some hint''s are highly appreciated > > Mat-- Phil Foxton <phil@thefoxtons.org.uk> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Hi Phil, thanx for prompt reply... I already thought about your suggestions. But isn''t there a way to tell shorewall to foreward http requests according to the IP given from the DNS? I other words if www1.domain reaches the fw it will DNAT to the IP1 recieved from dns and the same with www2 and ip2? maybe it''s just not possible?!? -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Phil Foxton Gesendet: Montag, 30. Januar 2006 17:25 An: shorewall-users@lists.sourceforge.net Betreff: Re: [Shorewall-users] basic understandings.. The easiest way to do this would be to have a ''tiered'' web server farm, so the following happens: Request comes into firewall Firewall forwards packet to tier 1 webserver, which is configured to redirect the packets dependent on URL. Packets are passed to the correct internal webserver. Another way is to do something similar, but make the lowest loaded webserver and the tier 1 server one and the same, i.e. packets destined for the URL webserver1 (which also does the redirecting) stay on that server, whereas any requests to webserver2 are re-directed accordingly. The downside to this is, that if you loose webserver1 for any reason you lose both web servers (but this can be rectified with a little re-configuration), but then, in example 1, if you lose the tier 1 server you loose both servers also. HTH Phil On Mon, 2006-01-30 at 17:07 +0100, md wrote:> Hi List, > > I''m quite new to shorewall / firewalls and need to protect a bigger > network with various webservers... > > Even though I studied the howtos / manuals I can''t get to the solution > as NAT/SNAT/DNAT is not really easy for me. > > I face the situation that I run two webservers on a DMZ and several > webservers for testing purposes in a kind of extranet. On my firewall > I have five interfaces (net, dmz, lan, extranet, lan2). > > All "internal" hosts have a private IP and the firewall has only one > public IP. > > On my DMZ I also rum two DNS servers. > > Now I need to understand how to configure the firewall to accept > incomming connections, ask DNS for the internal IP and foreward (?) > the request to the webserver in charge. > > Is this possible with NAT / DNAT? > > How to create the rules accordingly... > > some hint''s are highly appreciated > > Mat-- Phil Foxton <phil@thefoxtons.org.uk> ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
IF the two webservers have different public (NON RFC1918)IP addresses, then yes, BUT if they are on the same public address, then no as shorewall (and other purely ip based firewalls) do not examine the contents of the HTTP packet, just the source and destination headers. The examination of the HTTP packet is left down to the web server (for reference look up Apache''s Virtual Server directive, especially with reference to name based virtual servers) Regards Phil -- Phil Foxton MBCS RHCE +44 7973 219146 ---------- Original Message ----------- From: "md" <md@evoconcept.de> To: <shorewall-users@lists.sourceforge.net> Sent: Mon, 30 Jan 2006 17:40:10 +0100 Subject: AW: [Shorewall-users] basic understandings..> Hi Phil, > > thanx for prompt reply... > > I already thought about your suggestions. But isn''t there a way to tell > shorewall to foreward http requests according to the IP given from > the DNS? > > I other words if www1.domain reaches the fw it will DNAT to the IP1 recieved > from dns and the same with www2 and ip2? > > maybe it''s just not possible?!? > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Phil > Foxton > Gesendet: Montag, 30. Januar 2006 17:25 > An: shorewall-users@lists.sourceforge.net > Betreff: Re: [Shorewall-users] basic understandings.. > > The easiest way to do this would be to have a ''tiered'' web server > farm, so the following happens: > > Request comes into firewall > Firewall forwards packet to tier 1 webserver, which is configured to > redirect the packets dependent on URL. > Packets are passed to the correct internal webserver. > > Another way is to do something similar, but make the lowest loaded > webserver and the tier 1 server one and the same, i.e. packets destined > for the URL webserver1 (which also does the redirecting) stay on that > server, whereas any requests to webserver2 are re-directed accordingly. > The downside to this is, that if you loose webserver1 for any reason > you lose both web servers (but this can be rectified with a little > re-configuration), but then, in example 1, if you lose the tier 1 server > you loose both servers also. > > HTH > > Phil > > On Mon, 2006-01-30 at 17:07 +0100, md wrote: > > Hi List, > > > > I''m quite new to shorewall / firewalls and need to protect a bigger > > network with various webservers... > > > > Even though I studied the howtos / manuals I can''t get to the solution > > as NAT/SNAT/DNAT is not really easy for me. > > > > I face the situation that I run two webservers on a DMZ and several > > webservers for testing purposes in a kind of extranet. On my firewall > > I have five interfaces (net, dmz, lan, extranet, lan2). > > > > All "internal" hosts have a private IP and the firewall has only one > > public IP. > > > > On my DMZ I also rum two DNS servers. > > > > Now I need to understand how to configure the firewall to accept > > incomming connections, ask DNS for the internal IP and foreward (?) > > the request to the webserver in charge. > > > > Is this possible with NAT / DNAT? > > > > How to create the rules accordingly... > > > > some hint''s are highly appreciated > > > > Mat > -- > Phil Foxton <phil@thefoxtons.org.uk> > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through > log files for problems? Stop! Download the new AJAX search engine > that makes searching your log files as easy as surfing the web. > DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through > log files for problems? Stop! Download the new AJAX search engine > that makes searching your log files as easy as surfing the web. > DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd_______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642