Shorewall users - Oct 2003 - Shorewall configuration suggestions

Looking for suggestions:

I won''t even attempt ascii art....

1st - 3-NIC shorewall box:
 - eth0 to DSL modem
 - eth1 to 2nd 3-NIC shorewall
 - eth2 to DMZ webserver  (NAT 3 real IP''s assigned by SBC)

2nd - 3-NIC shorewall box:
 - eth0 to box above (1st 3-NIC)
 - eth1 to local LAN   (W2K and Linux boxes with samba PDC)
 - eth2 to "DMZ"  - semi trusted work ISDN

webserver - also running shorewall  (eth2 of 1st box)

I seem to be stepping all over myself and exponentially increase 
/etc/shorewall/rules to accomodate cascading "shorewall"  ...  Are
there
any "examples"  or should the I just stick with the one interface, two
interface, three interface examples and kludge from there ?

I have currently prohibited myself from running a Citrix client from any 
of my "local LAN" boxes and can only use that 2nd 3-NIC shorewall box.

I''m not really comfortable with an all-all scenario once I get past
that
first box....

On Thu, 9 Oct 2003 13:14:28 -0700 Bill.Light@kp.org wrote....
> Looking for suggestions:
> 
> I won''t even attempt ascii art....
> 
> 1st - 3-NIC shorewall box:
>  - eth0 to DSL modem
>  - eth1 to 2nd 3-NIC shorewall
>  - eth2 to DMZ webserver  (NAT 3 real IP''s assigned by SBC)
> 
> 2nd - 3-NIC shorewall box:
>  - eth0 to box above (1st 3-NIC)
>  - eth1 to local LAN   (W2K and Linux boxes with samba PDC)
>  - eth2 to "DMZ"  - semi trusted work ISDN
> 
> webserver - also running shorewall  (eth2 of 1st box)
> 
> I seem to be stepping all over myself and exponentially increase 
> /etc/shorewall/rules to accomodate cascading "shorewall"  ... 
Are there
> 
> any "examples"  or should the I just stick with the one
interface, two
> interface, three interface examples and kludge from there ?
> 
> I have currently prohibited myself from running a Citrix client from any
> 
> of my "local LAN" boxes and can only use that 2nd 3-NIC shorewall
box.
> 
> I''m not really comfortable with an all-all scenario once I get
past that
> 
> first box....
	I run 4 nics in mine... Internet, DMZ, Local, and WLan... My Win boxes
all hang off of Wlan, and I use MAC authentication and WEP to help keep
the neighbors off... It''s just the kids on them, so I''m not
concerned
about deeper security than that.. Sure seems it was alot easier to
configure an extra zone than another box ;)

--- 
Homer Parker                  /"\ ASCII Ribbon Campaign
                              \ / No HTML/RTF in email
http://www.homershut.net       x  No Word docs in email
telnet://bbs.homershut.net    / \ Respect for open standards

"Bill Gates reports on security progress made and the challenges
ahead."
-- Microsoft''s Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.