Hi all, Brand new to the list, I first would like to congratulate and thank you Tom=20 for the GREAT PIECE OF SOFTWARE you provide us with, and the DOCUMENTATION=20 EFFORT you made. If all projects had this kind of support, linux counter=20 would have exploded !!! <note> It would be a pleasure to make a french translation, I''ll think about that and=20 have a glimpse to my planning up to Xmas.... </note> I run a 4 Linux Mandrake 9.0 boxes network:=20 =09- 1 Firewall (static IP on ppp0 through eth0 - 172.16.0.1), =09- 1 Sever (I''d like to be DMZed - in 10.10.0.0/24), tending to become a=20 subnet of "One service Boxes", for www, mail, ftp, mysql, ... =09- 1 Workstattion & 1 Laptop (local zone - 192.168.0.0/24). I also would like to be able to access all my boxes from my laptop when I''m=20 on the road. I''ve read the doc''s, many times the 3-interfaces guide & Tom''s config, and=20 had a look at different (of the numerous !) threads about DNS issues in this=20 list archive. All that done, I can''t figure what''s the best choice (ease of setup, conf.=20 flexibility) for DNS setup between: =09- running it on the FW or in the DMZ ? =09- running two DNS, one on the FW & one in the DMZ ? All advices & tips will be greatly appreciated, as well as sample DNS=20 configuration files for a simple setup like mine, a complete network setup=20 tutorial (involving all services listed above) is on the way & will be GPLed=20 as soon as first steps will be written and cleaned. Once again thank you Tom for your work and time devotion. I''am always=20 pleased to join another community, reading the list archive I''ve no doubt=20 this one will be another good one ! ;-) Waiting for your answers, I go back to the docs to glean pieces of info I''d=20 have missed... J=E9r=E9mie --=20 Future Is Free, Fight Against Bill & Friends Linux User # 274160 Linux Boxes #157052, 157053, 157054 MandrakeClub Member
Personally, I run my DNS in my DMZ. The firewall should have as little running as possible. It is a simple process to make sure that all three legs can see the stuff on the dmz leg. Just define them in the rules file and it just works... Dirk On Thu, 10 Oct 2002 13:59:09 +0200 Tarax <cerbere@arkitekts.org> wrote:> Hi all, > > Brand new to the list, I first would like to congratulate and thank > you Tom for the GREAT PIECE OF SOFTWARE you provide us with, and the > DOCUMENTATION EFFORT you made. If all projects had this kind of > support, linux counter would have exploded !!! > > <note> > It would be a pleasure to make a french translation, I''ll think about > that and have a glimpse to my planning up to Xmas.... > </note> > > I run a 4 Linux Mandrake 9.0 boxes network: > - 1 Firewall (static IP on ppp0 through eth0 - 172.16.0.1), > - 1 Sever (I''d like to be DMZed - in 10.10.0.0/24), tending to > become a > subnet of "One service Boxes", for www, mail, ftp, mysql, ... > - 1 Workstattion & 1 Laptop (local zone - 192.168.0.0/24). > I also would like to be able to access all my boxes from my laptop > when I''m > on the road. > I''ve read the doc''s, many times the 3-interfaces guide & Tom''s > config, and > had a look at different (of the numerous !) threads about DNS issues > in this list archive. > All that done, I can''t figure what''s the best choice (ease of > setup, conf. > flexibility) for DNS setup between: > - running it on the FW or in the DMZ ? > - running two DNS, one on the FW & one in the DMZ ? > > All advices & tips will be greatly appreciated, as well as sample > DNS > configuration files for a simple setup like mine, a complete network > setup tutorial (involving all services listed above) is on the way & > will be GPLed as soon as first steps will be written and cleaned. > > Once again thank you Tom for your work and time devotion. I''am > always > pleased to join another community, reading the list archive I''ve no > doubt this one will be another good one ! ;-) > Waiting for your answers, I go back to the docs to glean pieces of > info I''d > have missed... > > Jérémie > > -- > Future Is Free, Fight Against Bill & Friends > Linux User # 274160 > Linux Boxes #157052, 157053, 157054 > MandrakeClub Member > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Tarax wrote:> I''ve read the doc''s, many times the 3-interfaces guide & Tom''s config, and > had a look at different (of the numerous !) threads about DNS issues in this > list archive.You might also take a look at the Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). It offers some DNS solutions as well.> All that done, I can''t figure what''s the best choice (ease of setup, conf. > flexibility) for DNS setup between: > - running it on the FW or in the DMZ ? > - running two DNS, one on the FW & one in the DMZ ?I prefer to run a DNS server in the DMZ and use Bind 9 views to provide different resolution for internal and external clients. It is a bit of work to set up but works very well. A sample config is included in the Setup Guide.> > All advices & tips will be greatly appreciated, as well as sample DNS > configuration files for a simple setup like mine, a complete network setup > tutorial (involving all services listed above) is on the way & will be GPLed > as soon as first steps will be written and cleaned.Cool!!!> > Once again thank you Tom for your work and time devotion. I''am always > pleased to join another community, reading the list archive I''ve no doubt > this one will be another good one ! ;-)Welcome! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi, THAT''S DONE !!! DNS running, Shorewall protected & DNATs working. WONDERFUL ! I finaly chose to run my dns on the firewall. As I think it can help other=20 folks out there, let me deal a little with my config. I''ve one static IP, connecting to the Internet through PPPoE (ppp0), & modem=20 plugged on eth0. Created:=20 =09- loc: eth1, 192.168.0.0/24, =09- dmz: eth2, 10.10.0.0/24 (http, ftp, mail, mysql servers), =09- hq:=09eth0, 172.16.0.0/24 (dns, dhcp, snmp, ntp servers). I used Bind "Views" to setup my dns, as Tom adviced me, even if=20 external/internal views are actually the same, as one of my main goals was to=20 build an evolutive architecture. As I don''t know if it''d be convenient to post my conf files here, peoples=20 interested should ask me & I''ll provide them with pleasure. Once again many thanks for advices, links, and docs. Now time to fine tune the setup. I''m going to scan my logs to see what needs=20 further attention. Those looking for a GUI for shorewall should look @ mandrake''s new firewalling=20 solution called MultiNetwork Firewall, wich is heavily based on shorewall, &=20 provides a web admin interface called NAAT. Folks @ Mdk have even made a=20 howto for a network setup of MNF, available @=20 http://people.mandrakesoft.com/~amaury/mnf/9.0.php C u soon, & thanks again J=E9r=E9mie Le Jeudi 10 Octobre 2002 14:57, Tom Eastep a =E9crit :> Tarax wrote: > > I''ve read the doc''s, many times the 3-interfaces guide & Tom''s config, > > and had a look at different (of the numerous !) threads about DNS issues > > in this list archive. > > You might also take a look at the Setup Guide > (http://www.shorewall.net/shorewall_setup_guide.htm). It offers some DNS > solutions as well. > > > All that done, I can''t figure what''s the best choice (ease of setup, > > conf. flexibility) for DNS setup between: > > =09- running it on the FW or in the DMZ ? > > =09- running two DNS, one on the FW & one in the DMZ ? > > I prefer to run a DNS server in the DMZ and use Bind 9 views to provide > different resolution for internal and external clients. It is a bit of > work to set up but works very well. A sample config is included in the > Setup Guide. > > > All advices & tips will be greatly appreciated, as well as sample DNS > > configuration files for a simple setup like mine, a complete network > > setup tutorial (involving all services listed above) is on the way & will > > be GPLed as soon as first steps will be written and cleaned. > > Cool!!! > > > Once again thank you Tom for your work and time devotion. I''am always > > pleased to join another community, reading the list archive I''ve no doubt > > this one will be another good one ! ;-) > > Welcome! > > -Tom--=20 Future Is Free, Fight Against Bill & Friends Linux User # 274160 Linux Boxes #157052, 157053, 157054 MandrakeClub Member