Hi all, I''m totally new to Shorewall and have only read through a limited amount of documentation. I have an idea for a new configuration of our server firewall and would like to know a general yes or no (give or take a few tips) on the concept. I will then go and read up in more detail when I come to implementing it. I always think that it''s best to get a general idea from those who know first before wasting too much time. So thanks in advance to those who help. At the moment we have 2 firewalls, one is for server hosting (mainly windows boxes) who are all NAT''d on the same subnet (10.0.2.0/24) and the other is a local LAN (10.0.0.0/24). The two firewalls are connected together by a t-bone connection internally which allows for management of the servers. Each server has it''s own external interface and default gateway. Everything is done manually using bash scripts and iptables (very messy and hard to maintain). The LAN firewall is using Softwall and doesn''t need to be too complicated. Each server has it''s own real world IP address and separate subnet as an alias on the externally facing interface which is NAT''d and filtered for each service on the first firewall to the private IP of each internal server. The main problem I have is that all the servers are sharing the same private subnet and can therefore see each other. From what I can tell from the documentation and examples is that I could create a separate local zone for each external subnet/interface alias. Then what I would like to do is create rules which would effectively split each host internally so they do not see each other. However they will still be able to cross over the t-bone connection on the third interface to the second firewall for management. <take deep breath> Unfortunately I don''t see can be done using the existing internal IP address space so it be necessary to use different routable subnets e.g. 123.123.123.0/28 (zone ext1) maps to 10.0.3.0/24 (zone loc1), 123.123.123.16/28 (zone ext2) maps to 10.0.4.0/24 (zone loc2) etc... Another idea is to enable a VLAN''d network internally perhaps using a zebra server running on the server firewall to distribute traffic. We use this approach out side the firewall for other individually managed servers and it works quite well. This however is done using Cisco equipment. I think it is a necessary to have a combination of the two, to properly segment each machines traffic. I realise this will probably make no sense at all and I apologise in advance if I have completely misunderstood the docs. But any pointers or good recommendations of similar setups or example documentation would be very much appreciated. Many thanks Matt
Matt Baker wrote:> > At the moment we have 2 firewalls, one is for server hosting (mainly > windows boxes) who are all NAT''d on the same subnet (10.0.2.0/24) and > the other is a local LAN (10.0.0.0/24). The two firewalls are connected > together by a t-bone connection internally which allows for management > of the servers. Each server has it''s own external interface and default > gateway. Everything is done manually using bash scripts and iptables > (very messy and hard to maintain). The LAN firewall is using Softwall > and doesn''t need to be too complicated. > > Each server has it''s own real world IP address and separate subnet as an > alias on the externally facing interface which is NAT''d and filtered for > each service on the first firewall to the private IP of each internal > server.So as I understand it: | | _____|______ ______|_____ | | | | | FW 1 |-------| FW 2 | |____________| |____________| | | Servers 10.0.2.0/24 Local Net 10.0.0.0.24 Each server is NATed to a separate public IP address of FW 1> The main problem I have is that all the servers are sharing the > same private subnet and can therefore see each other.Oh $DEITY -- computers with eyes. What I presume you are complaining about is that there is no firewall separating the individual servers.> From what I can > tell from the documentation and examples is that I could create a > separate local zone for each external subnet/interface alias. Then what > I would like to do is create rules which would effectively split each > host internally so they do not see each other.Why not just put blindfolds on them?> However they will still > be able to cross over the t-bone connection on the third interface to > the second firewall for management. <take deep breath> > Unfortunately I don''t see can be done using the existing internal IP > address space so it be necessary to use different routable subnets e.g. > 123.123.123.0/28 (zone ext1) maps to 10.0.3.0/24 (zone loc1), > 123.123.123.16/28 (zone ext2) maps to 10.0.4.0/24 (zone loc2) etc... > Another idea is to enable a VLAN''d network internally perhaps using a > zebra server running on the server firewall to distribute traffic.I think that sounds like a better idea. Segregating the servers using IP subnetting is security by obscurity and nothing more; root on any of the servers would be able to access the other servers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> From what I can >> tell from the documentation and examples is that I could create a >> separate local zone for each external subnet/interface alias. Then what >> I would like to do is create rules which would effectively split each >> host internally so they do not see each other. > > > Why not just put blindfolds on them? >BTW -- that was intended as a joke :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> So as I understand it: > > | | > _____|______ ______|_____ > | | | | > | FW 1 |-------| FW 2 | > |____________| |____________| > | | > Servers 10.0.2.0/24 Local Net 10.0.0.0.24 > > Each server is NATed to a separate public IP address of FW 1Nice ASCII art, yes that''s right.> > Oh $DEITY -- computers with eyes. What I presume you are complaining > about is that there is no firewall separating the individual servers.It''s mostly for discovery apps. I would like each machine to not even be able to route to other corresponding subnets. I wonder if there''s a way to do selective routing based on sources. Perhaps arptables (http://ebtables.sourceforge.net)?> Why not just put blindfolds on them?Not such a bad idea. If you blind them from the existence of the other networks (see above) it might just work.> I think that sounds like a better idea. Segregating the servers using IP > subnetting is security by obscurity and nothing more; root on any of the > servers would be able to access the other servers.Only if authentication schemes were the same, each server has a separate set of users/passwords/domains etc. Some servers are managed by 3rd parties, let''s just say I don''t entirely trust one or two of them. ;-) Thanks for your input. Matt
Matthew Baker wrote:> > Only if authentication schemes were the same, each server has a separate set > of users/passwords/domains etc. Some servers are managed by 3rd parties, > let''s just say I don''t entirely trust one or two of them. ;-)All the more reason to avoid security by obscurity. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net