Tom Eastep
2004-Jul-08 14:25 UTC
Re: Correctly establishing for two ethernet connections plus a lan]
George, Please keep this on the list. That way other''s can benefit from our discussion and it might save me from having to have this same conversation with another user later on.> I''ve added the arp-filter option for both eth0 and eth1 (and changed > eth1 to ''net''). > > I keep running into the warning about not doing this, though. What are > the ramifications in practical terms? Will it allow Sorewall to do its > job???In most cases, it is OK to connect interfaces that are associated with the same zone to the same HUB/Switch since it is typically not a problem if traffic within the zone bypasses the firewall. Setting arp_filter just makes sure that traffic destinied for the firewall enters the firewall on the ''correct'' interface.> > I then began looking at setting up the virtual interfaces with ip addr > add, but this will require, I assume, that the existing ifcfg-eth2:* > scripts be removed first to avoid confusion?Why do that? You already have the aliases set up using some other method so why switch?> > And to try and complete the picture of what I have been working with > thus far, the dns zone for dscdirectionalservices.com is served on the > lan through: 192.168.0.1 nsd.dscdirectionalservices.com (which is also > the internal firewall address and name server). In addition, > 192.168.0.2 is mail.dscdirectionalservices.com and 192.168.0.3 is > www.dscdirectional services.com. The same setup is repeated for > 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24. Therefore, we need 2- > way traffic for 192.168.*.2 for mail, and 192.168.*.3 for http. Does > that help you make a recommendation? It seems to me that the ''Multiple > Subnets'' method would fit. Yes?You have so far failed to answer my question regarding where the mail servers, etc. are running so I can only guess what you need. I *think* that the servers are running on the Shorewall box in which case, the only relevant section of http://shorewall.net/Shorewall_and_Aliased_Interfaces.html is the one entitled "Separate Rules". I would do something like this: /etc/shorewall/params: MTAS=192.168.0.2,192.168.1.2,192.168.2.2 WWW=192.168.0.3,192.168.1.3,192.168.2.3 /etc/shorewall/rules: ACCEPT net $FW:$MTAS tcp 25 ACCEPT $FW net tcp 25 #Outbound email ACCEPT loc $FW:$MTAS tcp 25 ACCEPT net $FW:$WWW tcp 80,443 ACCEPT loc $FW:$WWW tcp 80,443 And that''s it. This is not nearly as complicated as you are trying to make it. Note that using the Shell variables MTAS and WWW isn''t required -- you could list the addresses directly in /etc/shorewall/rules; the way I show it is much cleaner though. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
G. Walsh
2004-Jul-08 19:02 UTC
Re: Correctly establishing for two ethernet connections plus a lan]
Hi, Tom: Sorry about the address - I just hit the reply button without seeing the change. Once again, I have to thank you for your extended help and interest. I long suspected that things were getting way ot of hand, but the more I read and tried to implement, the worse it all became. Too many cooks .... You have made one of the finest attempts at documenting what for most of us is definitely ''the dark side'' that I have encountered in the past 7 years of learning the differences between Linux and my old AT&T Unixes. I''ll have a chance to follow your detailed suggestions later this afternoon. There is only one machine here with the 3 nics, so your assumptions look valid to me. The mail, dns and web servers are all on the firewall machine. Gratefully, "George" On Thu, 2004-07-08 at 07:25 -0700, Tom Eastep wrote:> George, > > Please keep this on the list. That way other''s can benefit from our > discussion and it might save me from having to have this same > conversation with another user later on. > > > I''ve added the arp-filter option for both eth0 and eth1 (and changed > > eth1 to ''net''). > > > > I keep running into the warning about not doing this, though. What are > > the ramifications in practical terms? Will it allow Sorewall to do its > > job??? > > In most cases, it is OK to connect interfaces that are associated with > the same zone to the same HUB/Switch since it is typically not a problem > if traffic within the zone bypasses the firewall. Setting arp_filter > just makes sure that traffic destinied for the firewall enters the > firewall on the ''correct'' interface. > > > > > I then began looking at setting up the virtual interfaces with ip addr > > add, but this will require, I assume, that the existing ifcfg-eth2:* > > scripts be removed first to avoid confusion? > > Why do that? You already have the aliases set up using some other method > so why switch? > > > > > And to try and complete the picture of what I have been working with > > thus far, the dns zone for dscdirectionalservices.com is served on the > > lan through: 192.168.0.1 nsd.dscdirectionalservices.com (which is also > > the internal firewall address and name server). In addition, > > 192.168.0.2 is mail.dscdirectionalservices.com and 192.168.0.3 is > > www.dscdirectional services.com. The same setup is repeated for > > 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24. Therefore, we need 2- > > way traffic for 192.168.*.2 for mail, and 192.168.*.3 for http. Does > > that help you make a recommendation? It seems to me that the ''Multiple > > Subnets'' method would fit. Yes? > > You have so far failed to answer my question regarding where the mail > servers, etc. are running so I can only guess what you need. > > I *think* that the servers are running on the Shorewall box in which > case, the only relevant section of > http://shorewall.net/Shorewall_and_Aliased_Interfaces.html is the one > entitled "Separate Rules". > > I would do something like this: > > /etc/shorewall/params: > > MTAS=192.168.0.2,192.168.1.2,192.168.2.2 > WWW=192.168.0.3,192.168.1.3,192.168.2.3 > > /etc/shorewall/rules: > > ACCEPT net $FW:$MTAS tcp 25 > ACCEPT $FW net tcp 25 #Outbound email > ACCEPT loc $FW:$MTAS tcp 25 > > ACCEPT net $FW:$WWW tcp 80,443 > ACCEPT loc $FW:$WWW tcp 80,443 > > And that''s it. This is not nearly as complicated as you are trying to > make it. > > Note that using the Shell variables MTAS and WWW isn''t required -- you > could list the addresses directly in /etc/shorewall/rules; the way I > show it is much cleaner though. > > -Tom-- G. Walsh, Managing Director, DSC Directional Services Corp., Victoria, B.C., Canada