Our company is moving and this allows me to dump our existing PIX firewall and use Shorewall on Linux which is working very well in a testbed environment. I do have a question about simple routing, however. We have been assigned a /26 subnet (64 public IP addresses) by our ISP and I want to be able to use them behind the firewall (in the DMZ) as efficiently as possible; that is, I want as many of those addresses tied to actual boxes as I can manage. Reading the "Shorewall Setup Guide" section "5.1 Routed" seems to be close to what I want but I don''t need to allocate any public IP addresses in the ''Local'' zone. So, is it possible to setup routing so that (for instance) eth0 acts solely as the default gateway to the ISP, eth1 is the DMZ (as much of the /26 space as possible) and a 10.0.0.1 subnet for eth2?
On Tue, 22 Jul 2003 15:52:55 -0700, Bruce Butterfield <bab@entricom.com> wrote:> Our company is moving and this allows me to dump our existing PIX > firewall and use Shorewall on Linux which is working very well in a > testbed environment. I do have a question about simple routing, however. > > We have been assigned a /26 subnet (64 public IP addresses) by our ISP > and I want to be able to use them behind the firewall (in the DMZ) as > efficiently as possible; that is, I want as many of those addresses tied > to actual boxes as I can manage. Reading the "Shorewall Setup Guide" > section "5.1 Routed" seems to be close to what I want but I don''t need to > allocate any public IP addresses in the ''Local'' zone. So, is it possible > to setup routing so that (for instance) eth0 acts solely as the default > gateway to the ISP, eth1 is the DMZ (as much of the /26 space as > possible) and a 10.0.0.1 subnet for eth2? >Yes -- please consult the Shorewall Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). You will want to use ProxyARP in your DMZ (you may be able to use Proxy ARP subnetting -- again see the above URL). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 22 Jul 2003 19:39:49 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > Yes -- please consult the Shorewall Setup Guide > (http://www.shorewall.net/shorewall_setup_guide.htm). You will want to > use ProxyARP in your DMZ (you may be able to use Proxy ARP subnetting -- > again see the above URL). >Sorry -- I didn''t ready your post carefully the first time. You can use routing IF your ISP is routing all of your /64 through a single address (which you will assign to the external interface of your router). Otherwise, you must use proxy ARP. At the same time, you can use SNAT on your local network. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 22 Jul 2003 19:54:52 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > Sorry -- I didn''t ready your post carefully the first time.That if course should have been "I did''t *read* your post carefully..." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net