Hello:
Couple of months ago, I posted a similar message. Tom responded by saying
that I would need a bridge configuration. I have gone through the
documentation & am completely lost. I also have noticed that I need to patch
the 2.4 kernel & other modifications for bridge to work, which if possible,
I would like to avoid. I am posting this message to see if a non-bridge
solution can be found:
My Setup:
=======RH9, Shorewall 2.0 (installation date 4-30-2004)
To Internet
Backbone
---------------
| T1
|
CISCO Router
12.21.237.0
|
|--------------Hub-------------|
eth0 eth0 3Com
12.21.237.10 12.21.237.11 Dial-in
NS1 (DNS) NS2 (DNS) Modem
Firewall(fw1) Firewall(fw2) Bank
192.168.21.10 192.168.21.11
eth1 eth1
|---- Hub ---- |
|
|--------|--------------|-----------|
etho eht0 eth0 eth0
12.21.237.15 12.21.237.16 12.21.237.17 12.21.237.18
RDX DATA MAIL WEBS
192.168.2.15 192.168.2.16 192.168.2.17 192.168.2.18
eth1 eth1 eth1 eth1
| ------- | ---- Hub ---- |----------- |
In the above diagram:
NS1 & NS2 are two name servers with Shorewall Firewall installed on them. In
this
configuration, I have named the Firewalls as fw1 & fw2. There is also a 3Com
modem box into which users dial in and are assigned IP 12.21.237.48-239.
RDX (Radius Server), DATA (MySQL Data Server), MAIL & WEBS servers are in
DMZ. At the present time DATA server is only accessed on the local net
(192.168.2.X).
QUESTION:
======== I have setup two firewalls, one each on NS1 & NS2 with their own
Firewall
name (fw1 & fw2). When I have both NS1 & NS2 booted, only ONE NS seem to
work!! My basic question is, can this design work? Can it work without
BRIDGE?
Thanks.
Kirti
On Monday 24 May 2004 02:31 pm, Kirti S. Bajwa wrote:> Hello:> QUESTION: > ========> I have setup two firewalls, one each on NS1 & NS2 with their own > Firewall name (fw1 & fw2). When I have both NS1 & NS2 booted, only ONE > NS seem to work!! My basic question is, can this design work? Can it > work without BRIDGE?Only one "works" in what way? Inbound traffic is going to go where ever the Cisco sends it. Outbound traffic will go whereever the internal machine points to as its default gateway. NS implies name servers. If running DNS on these boxes ALL dns requests will go to what ever the requesting station refers to as the primary, unless that does not respond then they will fall over to the secondary. But its not clear what you mean by work? Traffic goes where its told to go. -- John Andersen - NORCOM http://www.norcomsoftware.com/
John Andersen wrote:> On Monday 24 May 2004 02:31 pm, Kirti S. Bajwa wrote: > >>Hello: > > > >>QUESTION: >>========>> I have setup two firewalls, one each on NS1 & NS2 with their own >>Firewall name (fw1 & fw2). When I have both NS1 & NS2 booted, only ONE >>NS seem to work!! My basic question is, can this design work? Can it >>work without BRIDGE? > > > > Only one "works" in what way? > > Inbound traffic is going to go where ever the Cisco sends it. > Outbound traffic will go whereever the internal machine points > to as its default gateway. > > NS implies name servers. If running DNS on these boxes > ALL dns requests will go to what ever the requesting station > refers to as the primary, unless that does not respond then > they will fall over to the secondary. > > But its not clear what you mean by work? Traffic goes > where its told to go. >And if both firewall''s are Proxy ARPing the servers behind them, then complete chaos ensues... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2004-05-24 at 18:31 -0400, Kirti S. Bajwa wrote:> Hello: > > Couple of months ago, I posted a similar message. Tom responded by saying > that I would need a bridge configuration. I have gone through the > documentation & am completely lost. I also have noticed that I need to patch > the 2.4 kernel & other modifications for bridge to work, which if possible, > I would like to avoid. I am posting this message to see if a non-bridge > solution can be found: > > My Setup: > =======> RH9, Shorewall 2.0 (installation date 4-30-2004) > > To Internet > Backbone > --------------- > | T1 > | > CISCO Router > 12.21.237.0 > | > |--------------Hub-------------| > eth0 eth0 3Com > 12.21.237.10 12.21.237.11 Dial-in > NS1 (DNS) NS2 (DNS) Modem > Firewall(fw1) Firewall(fw2) Bank > 192.168.21.10 192.168.21.11 > eth1 eth1 > |---- Hub ---- | > | > |--------|--------------|-----------| > etho eht0 eth0 eth0 > 12.21.237.15 12.21.237.16 12.21.237.17 12.21.237.18 > RDX DATA MAIL WEBS > 192.168.2.15 192.168.2.16 192.168.2.17 192.168.2.18 > eth1 eth1 eth1 eth1 > | ------- | ---- Hub ---- |----------- | > > In the above diagram: > NS1 & NS2 are two name servers with Shorewall Firewall installed on them. In > this > configuration, I have named the Firewalls as fw1 & fw2. There is also a 3Com > modem box into which users dial in and are assigned IP 12.21.237.48-239. > > RDX (Radius Server), DATA (MySQL Data Server), MAIL & WEBS servers are in > DMZ. At the present time DATA server is only accessed on the local net > (192.168.2.X). > > QUESTION: > ========> I have setup two firewalls, one each on NS1 & NS2 with their own Firewall > name (fw1 & fw2). When I have both NS1 & NS2 booted, only ONE NS seem to > work!! My basic question is, can this design work? Can it work without > BRIDGE? >Personally, hell I do this for a living so professionally too, I would suggest you re-address your internal addresses and port forward their respective services. No bridging/proxy-arping would be necessary, so you would be running in the very traditional fashion. Don''t forget KISS! As far as one firewall not working, you don''t offer any specifics so we can only speculate. My assumption is that inbound traffic is only going to one firewall. I also assume you are not running a routing protocol between the two firewalls and the router (don''t, this is too simple a setup to merit it). You probably have a static route on the router pointing the 12.21.237.x network at one of the firewall addresseses. IOS can round-robin between two routes if they match. There may be another config option that you need to set, but I don''t recall. Ask Google. BTW, are you multi-homing your internal boxes? If so, stop that! It looks like you are really over-complicating your environment. -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:>> >>QUESTION: >>========> > As far as one firewall not working, you don''t offer any specifics so we > can only speculate. My assumption is that inbound traffic is only going > to one firewall. I also assume you are not running a routing protocol > between the two firewalls and the router (don''t, this is too simple a > setup to merit it). You probably have a static route on the router > pointing the 12.21.237.x network at one of the firewall addresseses. > IOS can round-robin between two routes if they match. There may be > another config option that you need to set, but I don''t recall. Ask > Google.Round-robin isn''t so great when dealing with stateful firewalls unless IOS is caching these routing decisions and routing all subsequent traffic for that (source, destination) through the same firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2004-05-25 at 07:09 -0700, Tom Eastep wrote:> David T Hollis wrote: > > >> > >>QUESTION: > >>========> > > > As far as one firewall not working, you don''t offer any specifics so we > > can only speculate. My assumption is that inbound traffic is only going > > to one firewall. I also assume you are not running a routing protocol > > between the two firewalls and the router (don''t, this is too simple a > > setup to merit it). You probably have a static route on the router > > pointing the 12.21.237.x network at one of the firewall addresseses. > > IOS can round-robin between two routes if they match. There may be > > another config option that you need to set, but I don''t recall. Ask > > Google. > > Round-robin isn''t so great when dealing with stateful firewalls unless > IOS is caching these routing decisions and routing all subsequent > traffic for that (source, destination) through the same firewall. > > -TomGood point. I think with some of the more advanced IOS'', you can get some of that sticky capability, but then you do start getting away from the KISS principle and really just break more things. If he''s using the two firewalls for redundancy, he''d be better off using Keepalived to provide VRRP for the firewall addresses. Since netfilter doesn''t support state sync yet, he wouldn''t have persistent connections, but most users wouldn''t notice anything anyway. -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:> On Tue, 2004-05-25 at 07:09 -0700, Tom Eastep wrote:>> >>Round-robin isn''t so great when dealing with stateful firewalls unless >>IOS is caching these routing decisions and routing all subsequent >>traffic for that (source, destination) through the same firewall. >> >>-Tom > > Good point. I think with some of the more advanced IOS'', you can get > some of that sticky capability, but then you do start getting away from > the KISS principle and really just break more things. If he''s using the > two firewalls for redundancy, he''d be better off using Keepalived to > provide VRRP for the firewall addresses. Since netfilter doesn''t > support state sync yet, he wouldn''t have persistent connections, but > most users wouldn''t notice anything anyway. >Agreed. And simply setting NEWNOTSYN=Yes in shorewall.conf, makes the failover "relatively" painless. Seems to me someone volunteered to write a HOWTO about keepalived and Shorewall but I don''t recall having seen it yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello:
Since I posted this question, I have received some good suggestions. I am
re-inserting the system diagram so that if someone is not following this
post, they will also understand.
My Setup:
=======RH9, Shorewall 2.0 (installation date 4-30-2004)
To Internet
Backbone
---------------
| T1
|
CISCO Router
12.21.237.0
|
|--------------Hub-------------|
eth0 eth0 3Com
12.21.237.10 12.21.237.11 Dial-in
NS1 (DNS) NS2 (DNS) Modem
Firewall(fw1) Firewall(fw2) Bank
192.168.21.10 192.168.21.11
eth1 eth1
|---- Hub ---- |
|
|--------|--------------|-----------|
etho eht0 eth0 eth0
12.21.237.15 12.21.237.16 12.21.237.17 12.21.237.18
RDX DATA MAIL WEBS
192.168.2.15 192.168.2.16 192.168.2.17 192.168.2.18
eth1 eth1 eth1 eth1
| ------- | ---- Hub ---- |----------- |
First I want to clarify few things:
1) I have two firewalls on Name Servers NS1 & NS2. I do not need redundancy.
If one NS goes down, the other is still there to resolve names,
2) Each NS has Shorewall Firewall (fw1 & fw2), so any traffic coming &
going
passes through firewall,
3) I am using Dr. DJB''s "djbdns" instead of BIND to service
internal &
external name resolutions,
4) All requests from the NET are first processed by NS1 & if NS1 is down,
then by NS2,
5) All internal request are first handled by NS2 & if NS2 id down, then by
NS1
Previously when I posted this design, I was told that I needed a bridge for
it to work. I have read the documentation and I feel that this design should
work.
A simple YES is fine. If there is a problem with this design/firewall,
please let me know! If I have left out any information, I will be happy to
provide.
Consider me new to Shorewall.
Kirti
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, May 25, 2004 11:30 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] FW: Two Shorewall Firewalls!!!
David T Hollis wrote:> On Tue, 2004-05-25 at 07:09 -0700, Tom Eastep wrote:
>>
>>Round-robin isn''t so great when dealing with stateful firewalls
unless
>>IOS is caching these routing decisions and routing all subsequent
>>traffic for that (source, destination) through the same firewall.
>>
>>-Tom
>
> Good point. I think with some of the more advanced IOS'', you can
get
> some of that sticky capability, but then you do start getting away from
> the KISS principle and really just break more things. If he''s
using the
> two firewalls for redundancy, he''d be better off using Keepalived
to
> provide VRRP for the firewall addresses. Since netfilter doesn''t
> support state sync yet, he wouldn''t have persistent connections,
but
> most users wouldn''t notice anything anyway.
>
Agreed. And simply setting NEWNOTSYN=Yes in shorewall.conf, makes the
failover "relatively" painless.
Seems to me someone volunteered to write a HOWTO about keepalived and
Shorewall but I don''t recall having seen it yet.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Kirti S. Bajwa wrote:> Hello: > > Since I posted this question, I have received some good suggestions. I am > re-inserting the system diagram so that if someone is not following this > post, they will also understand. > > My Setup: > =======> RH9, Shorewall 2.0 (installation date 4-30-2004) > > To Internet > Backbone > --------------- > | T1 > | > CISCO Router > 12.21.237.0 > | > |--------------Hub-------------| > eth0 eth0 3Com > 12.21.237.10 12.21.237.11 Dial-in > NS1 (DNS) NS2 (DNS) Modem > Firewall(fw1) Firewall(fw2) Bank > 192.168.21.10 192.168.21.11 > eth1 eth1 > |---- Hub ---- | > | > |--------|--------------|-----------| > etho eht0 eth0 eth0 > 12.21.237.15 12.21.237.16 12.21.237.17 12.21.237.18 > RDX DATA MAIL WEBS > 192.168.2.15 192.168.2.16 192.168.2.17 192.168.2.18 > eth1 eth1 eth1 eth1 > | ------- | ---- Hub ---- |----------- | > > First I want to clarify few things: > > 1) I have two firewalls on Name Servers NS1 & NS2. I do not need redundancy. > If one NS goes down, the other is still there to resolve names, > 2) Each NS has Shorewall Firewall (fw1 & fw2), so any traffic coming & going > passes through firewall, > 3) I am using Dr. DJB''s "djbdns" instead of BIND to service internal & > external name resolutions, > 4) All requests from the NET are first processed by NS1 & if NS1 is down, > then by NS2, > 5) All internal request are first handled by NS2 & if NS2 id down, then by > NS1 > > Previously when I posted this design, I was told that I needed a bridge for > it to work. I have read the documentation and I feel that this design should > work. > > A simple YES is fine. If there is a problem with this design/firewall, > please let me know! If I have left out any information, I will be happy to > provide. > > Consider me new to Shorewall. >Kirti, This thread has nothing to do with Shorewall -- it is about basic network design. You have heard our opinions -- I don''t know what else we can tell you. - You insist that we tell you if your design will work yet you haven''t explained what you want the configuration to do. For example: - The dual firewall configuration invites us to think that you want to do load balancing or failover but you say no. So is it the case that only one of FW1/FW2 are configured to forward traffic? - You keep talking about the name servers and even (irrelevantly) mention which software you are using for them but you don''t explain your rational for placing the name servers on the firewall systems (or maybe it is the other way around). If FW1 and FW2 are truely firewalls (as opposed to servers running Shorewall), then running applications on them isn''t recommended. If they are servers, then why aren''t they configured parallel to the other servers? Why place them in the topology the way that you have? - Both David and I have commented (unfavorably) about the dual-homed servers (I commented in the prior incarnation of this thread). That - You say that when both firewall systems are booted, only one of the name servers work. You don''t bother to say which one or whether it is only from internal or external clients that it doesn''t work. - David has raised the issue of routing but you have been silent on how you do that as well. - If you are trying to use Proxy ARP somehow, I can pretty much assure you that WILL NOT WORK. So if your question is "Can this design be made to work?" the answer is probably "Yes". If the question is "Is this a good design that [ the list ] is going to be happy to help me make work?", then the answer is most likely "No". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2004-05-25 at 16:57 -0400, Kirti S. Bajwa wrote:> Previously when I posted this design, I was told that I needed a bridge for > it to work. I have read the documentation and I feel that this design should > work. > > A simple YES is fine. If there is a problem with this design/firewall, > please let me know! If I have left out any information, I will be happy to > provide. >There is a problem with this design. It makes no sense and you can''t explain it properly. I look at look at enterprise network designs every day and they are much clearer than what you are trying to do. I really thing you need to reconsider how you are designing this network. If you post the diagram yet again, please include the subnet masks being used for the various devices. From what you have in the diagram, it seems like you are trying to have separate subnets but using internal and external addresses or something and it just doesn''t make sense. On some occasions there are reasons for this sort of design - you absolutely can''t change other device addresses - but that is always a kludge. -- David T Hollis <dhollis@davehollis.com>