Taso Hatzi
2004-Nov-16 11:30 UTC
Query re Tom''s firewall (see http://www.shorewall.net/myfiles.htm)
On the firewall, what is the rationale for giving eth1 an IP address that is also assigned eto eth0? (Rather than a private one.) -- Taso Hatzi caesar 17 <<-salad cjbx jc vdwwjar jc xi jc jd salad
Gary Buckmaster
2004-Nov-16 16:00 UTC
Re: Query re Tom''s firewall (see http://www.shorewall.net/myfiles.htm)
If you look at his diagram, you''ll see that he has his mail server on a public IP address in a DMZ, as a result the configuration of the firewall NIC on the DMZ also needs a public IP address. His private network is shielded on a separate network segment on RFC1918 IP addresses, specifically 192.168.1.0/32 On Tue, 16 Nov 2004 22:30:47 +1100, Taso Hatzi <ahg2@swiftdsl.com.au> wrote:> > On the firewall, what is the rationale for giving eth1 an IP address > that is also assigned eto eth0? (Rather than a private one.) > > -- > Taso Hatzi > > caesar 17 <<-salad > cjbx jc vdwwjar jc xi jc jd > salad > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Tom Eastep
2004-Nov-16 16:11 UTC
Re: Query re Tom''s firewall (see http://www.shorewall.net/myfiles.htm)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> If you look at his diagram, you''ll see that he has his mail server on > a public IP address in a DMZ, as a result the configuration of the > firewall NIC on the DMZ also needs a public IP address. His private > network is shielded on a separate network segment on RFC1918 IP > addresses, specifically 192.168.1.0/32In a Proxy ARP configuration, the firewall IP address on the interface to the internal host does not need to be a public one. See: http://shorewall.net/ProxyARP.htm http://shorewall.net/shorewall_setup_guide.htm#ProxyARP On the other hand, using an RFC 1918 address just creates one more IP address to manage. For example: - - With an RFC 1918 address on the DMZ interface, email from the firewall to the SMTP server in the DMZ will have that IP address as its source. The firewall identifies itself in the HELO/EHLO command as ''gateway.shorewall.net''; unless a PTR DNS lookup of the RFC 1918 address yields ''gateway.shorewall.net'', the SMTP server issues a warning for each email from the firewall. Not a big deal I grant you (my firewall only produces a couple of emails a day) but it is easily solved by using the firewall''s external IP address as the address for the DMZ interface. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBmiagO/MAbZfjDLIRAqiXAKCC9nDWSw0rC12ABlGZbzfgx8f0vgCeKC1N HSbLCpcwntamqDLYmgkuDto=ZGgl -----END PGP SIGNATURE-----
Taso Hatzi
2004-Nov-17 13:40 UTC
Re: Query re Tom''s firewall (see http://www.shorewall.net/myfiles.htm)
Tom Eastep wrote:> > - - With an RFC 1918 address on the DMZ interface, email from the firewall > to the SMTP server in the DMZ will have that IP address as its source. > The firewall identifies itself in the HELO/EHLO command as > ''gateway.shorewall.net''; unless a PTR DNS lookup of the RFC 1918 address > yields ''gateway.shorewall.net'', the SMTP server issues a warning for > each email from the firewall. >I''m curious as to what the routing tables look like on the fw.
Tom Eastep
2004-Nov-17 15:29 UTC
Re: Query re Tom''s firewall (see http://www.shorewall.net/myfiles.htm)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taso Hatzi wrote:> Tom Eastep wrote: > >> >> - - With an RFC 1918 address on the DMZ interface, email from the >> firewall >> to the SMTP server in the DMZ will have that IP address as its source. >> The firewall identifies itself in the HELO/EHLO command as >> ''gateway.shorewall.net''; unless a PTR DNS lookup of the RFC 1918 address >> yields ''gateway.shorewall.net'', the SMTP server issues a warning for >> each email from the firewall. >> > > I''m curious as to what the routing tables look like on the fw.gateway:~ # ip route ls 192.168.1.1 dev eth2 scope link 206.124.146.177 dev eth1 scope link 192.168.3.0/24 via 192.168.1.5 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 206.124.146.0/24 dev eth2 proto kernel scope link src 206.124.146.176 192.168.9.0/24 dev texas scope link 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 206.124.146.254 dev eth2 gateway:~ # - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBm25GO/MAbZfjDLIRAkGrAJ4iPuIeaIvE9scBYHS38sqO34UWFACeJmom UmOgSZGnCOLcbELMsT70yGo=EmYu -----END PGP SIGNATURE-----