Hello everyone, I have been running over in my head and trying a few configurations that I would like to do but am not sure the best way to do this. Here is my goal: I have cable modem service that gives IP addresses (non rfc-1918) out via DHCP and allow up to 5 addresses to be allocated per cable modem. What I want to do would work without question (or need of asking the list) if I had permanent IP''s. I want to create a dmz with one machine that is fully accessible from the net like so, using (192.168.1.1) <---> (dhcp ip address) I wanted to use proxyarp but this would only work if I new my address ahead of time. I thought of proxyarp with the use of dhcprelay but then I would have to know, of the many (I use comcast), dhcp server IP ahead of time. So here is my dilemma, how to do what you would usually do with static IP addresses, using static IP addresses. BTW the purpose of this box is twofold, 1 I want to build a proxypot and supervise it via the FW, and two I want a second box that I fully accessible without firewall rules to get in the way when I do testing. So far I have setup a bridged dmz but this does not (as expected) do as I would like (no control over the incoming packets). I am open to any type of suggestions or other information to put this together. Cheers Philip S. Hempel
Philip S. Hempel wrote:> > So far I have setup a bridged dmz but this does not (as expected) do as > I would like (no control over the incoming packets). >Using Shorewall 2.0.1, you have complete control over the traffic through a bridge. see http://shorewall.net/bridge.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-04-15 at 09:54, Tom Eastep wrote:> Philip S. Hempel wrote: > > > > > So far I have setup a bridged dmz but this does not (as expected) do as > > I would like (no control over the incoming packets). > > > > Using Shorewall 2.0.1, you have complete control over the traffic > through a bridge. see http://shorewall.net/bridge.html >So your saying I can treat the bridged interface just like any other interface?> -Tom
Philip S. Hempel wrote:> On Thu, 2004-04-15 at 09:54, Tom Eastep wrote: > >>Philip S. Hempel wrote: >> >> >>>So far I have setup a bridged dmz but this does not (as expected) do as >>>I would like (no control over the incoming packets). >>> >> >>Using Shorewall 2.0.1, you have complete control over the traffic >>through a bridge. see http://shorewall.net/bridge.html >> > > > So your saying I can treat the bridged interface just like any other > interface? >Please read the document that I referred you to. It describes in detail how to handle bridged interfaces. Of necessity, a bridged ethernet interface cannot be handled in exactly the same way as "any other interface". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I would like to install Shorewall with tree interfaces, one interface connected to the ADSL another one with another ADSL (for backup) and the last one it''s the local zone. Is it possible??? Can I find any guide or something to help me for that?? Thanks.
On Thu, 2004-04-15 at 10:13, Tom Eastep wrote:> Philip S. Hempel wrote: > > On Thu, 2004-04-15 at 09:54, Tom Eastep wrote: > > > >>Philip S. Hempel wrote: > >> > >> > >>>So far I have setup a bridged dmz but this does not (as expected) do as > >>>I would like (no control over the incoming packets). > >>> > >> > >>Using Shorewall 2.0.1, you have complete control over the traffic > >>through a bridge. see http://shorewall.net/bridge.html > >> > > > > > > So your saying I can treat the bridged interface just like any other > > interface? > > > > Please read the document that I referred you to. It describes in detail > how to handle bridged interfaces. Of necessity, a bridged ethernet > interface cannot be handled in exactly the same way as "any other > interface".That is what I had understood from reading the document on how you setup bridging in shorewall. I gotten the idea in the first place to use the bridge because of 2.01. It seemed to be a "stopgap" measure for what I wanted. It was very simple to do following your instructions. I just wanted to be sure that I understood that the bridged interfaces are "almost" "like any other interface" but can''t be treated exactly like any other interface. Bridging is still bridging no matter where or on what platform you do it. Thanks once again. I have put up almost 20 shorewall boxes and I love how it keeps getting better!> > -Tom-- Professional Network, Systems (574) 261-2878 Security and Administration Supporting UNIX, LINUX and Microsoft http://linuxhardcore.com/ Since 1989
Philip S. Hempel wrote:> > That is what I had understood from reading the document on how you setup > bridging in shorewall. I gotten the idea in the first place to use the > bridge because of 2.01. It seemed to be a "stopgap" measure for what I > wanted.I believe that bridging is the best solution to your problem.> Bridging is still bridging no matter where or > on what platform you do it.True -- although the bridge_nf facility makes bridged firewall implementation pretty easy.> > Thanks once again. I have put up almost 20 shorewall boxes and I love > how it keeps getting better! >Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Javier Pardo wrote:> I would like to install Shorewall with tree interfaces, one interface > connected to the ADSL another one with another ADSL (for backup) and the > last one it''s the local zone. > > Is it possible??? > > Can I find any guide or something to help me for that?? >First set up your firewall using the two-interface guide (assuming that you have just a single IP address from your primary ISP). Then see FAQ 36. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Javier Pardo wrote: > >> I would like to install Shorewall with tree interfaces, one interface >> connected to the ADSL another one with another ADSL (for backup) and the >> last one it''s the local zone. >> >> Is it possible??? >> >> Can I find any guide or something to help me for that?? >> > > First set up your firewall using the two-interface guide (assuming that > you have just a single IP address from your primary ISP). Then see FAQ 36. >Ooops -- make that FAQ 32. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net