Hi List, hope my question is not too off-topic... I run a shorewall server with 6 nics . Two are connected to the web (my ext zone - but only one of them is active), one to my DMZ and three to diffrent LAN''s. Now I need a connection from one host in LAN_1 to another host "outside". It''s possible for me to connect the "remote" host with my unused ext interface - but I don''t think that''s the way to go. Actually I thought about bridging the unused interface with my LAN_1, but how to protect that. Or should I setupup an openVPN between my internat and external host? Any ideas from the specialists on the list? cheers, Mat ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> Now I need a connection from one host in LAN_1 to another host "outside".As I understand you, the outside host is still within cabling distance(?) ------------------ I think you need to tell us a bit more about what kind of security you require. Is it alright to have the outside host connected to every host in LAN_1, or must it be only that single one? Do you need to have the traffic encrypted?> Actually I thought about bridging the unused interface with my LAN_1, > but how to protect that.I don''t think you could effectively prevent other hosts on LAN_1 from contacting the outside host in that case. Even if you put in some filtering rules in Shorewall, they could probably be bypassed.> Or should I setupup an openVPN between my internat and external host?I would consider that a very secure solution. However, if the traffic is very heavy, encryption will use a lot of cpu-power on the hosts -- I don''t know whether you can disable encryption in OpenVPN. Anyway, those are my thought. I guess you can go about this thing in many other ways as well. Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Rune,>> Now I need a connection from one host in LAN_1 to another host "outside". > >As I understand you, the outside host is still within cabling distance(?) >yes>------------------ > >I think you need to tell us a bit more about what kind of security you >require. Is it alright to have the outside host connected to every >host in LAN_1, or must it be only that single one? Do you need to >have the traffic encrypted? >My host "outside" is supposed to be a backup and storage box - so lot''s of data to be transmitted. As I would like to share this host with others it''s "outside" my own networks but still in cabling distance. Because there are so many possiblities I ask this list for advise. In the beginning I thought about using proxy_arp for my internal host but I actually don''t like to expose ANY open post of this machine to the outer world. So I came to the idea of linking my 2nd shorewall nic with a cross-over cable to my storage machine - but that makes it a private storage solution that might also be moved to my LAN as this box has only one nic and I couln''t share it with others :-( Your point regarding encryption make me now feeling a bit uncomfortable with the opnVPN thing. More confused than before .-( Any ideas? Mat>> Actually I thought about bridging the unused interface with my LAN_1, >> but how to protect that. > >I don''t think you could effectively prevent other hosts on LAN_1 from >contacting the outside host in that case. Even if you put in some >filtering rules in Shorewall, they could probably be bypassed. > >> Or should I setupup an openVPN between my internat and external host? > >I would consider that a very secure solution. However, if the traffic >is very heavy, encryption will use a lot of cpu-power on the hosts -- >I don''t know whether you can disable encryption in OpenVPN. > > >Anyway, those are my thought. I guess you can go about this thing in >many other ways as well. > > >Rune > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Mathias A follow-up to my earlier comment:> > Or should I setupup an openVPN between my internat and external host? > I would consider that a very secure solution. However, if the traffic > is very heavy, encryption will use a lot of cpu-power on the hosts -- > I don''t know whether you can disable encryption in OpenVPN.Someone tested the speed of OpenVPN: http://openvpn.net/archive/openvpn-users/2006-01/msg00029.html <Quote> I tested throughput by copying a 62.8 MB file in three different configurations. 1) With no tunnel. The file transfer took about 2 seconds, which is roughly 32Mbps [Megabytes/sec] 2) With a UDP tunnel with no encryption. The file transfer took 18 seconds, which is about 3.65Mbps. </Qoute> He disabled encryption by specifying "cipher none" in his OpenVPN configuration. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642