I am deploying a new network layout and i am wondering what is the best approach here. I have a SDSL line with 16 public IP''s (aint I a lucky sob?) I have a 3 interface linux box which will do the work. Basically I will have mail/web/dns servers living in the DMZ, so that''s one interface, one interface must talk to the SDSL, so that''s two. And the third is obviously all our internal systems. Now, what I want to do is divide the hosts on our network between a few different policies. 1. only local access 2. net access on port 80 and 443 3. full masqueraded access. So, is this where I want to be looking at sub-zones, or do I set the policy for loc to block all access to net and use rules to create exceptions for types 2 & 3? (the classification can be done on host-IP) And as for the hosts in the DMZ, what are your personal feelings for using statical NAT or ProxyARP?
Jan Johansson wrote:> > > So, is this where I want to be looking at sub-zones, or do I set the > policy for loc to block all access to net and use rules to create > exceptions for types 2 & 3? (the classification can be done on host-IP) >I would use subzones.> > > And as for the hosts in the DMZ, what are your personal feelings for > using statical NAT or ProxyARP? >I prefer ProxyARP because the hosts in your DMZ are known by only one address, not two. You will only need to use Proxy ARP if your /28 is unrouted (see http://www.shorewall.net/shorewall_setup_guide.htm). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> I would use subzones.Am I blind, or are subzones something that isn''t really documented on the site? I can''t find any real examples of this?> I prefer ProxyARP because the hosts in your DMZ are known by only one > address, not two. You will only need to use Proxy ARP if your /28 is > unrouted (see http://www.shorewall.net/shorewall_setup_guide.htm).ProxyARP it will be, thank you. On a side note, I don''t have any problem convincing my employers to spend megabucks on various IT-projects, but when submitting a Purchase Request do make a donation as suggested on the website, the questions and funny looks started.. *gah*
Jan Johansson wrote:>>I would use subzones. > > > Am I blind, or are subzones something that isn''t really documented on > the site? I can''t find any real examples of this? >See my last post in the thread entitled "need more rules when using IPSEC". It is also documented in the Shorewall Reference manual (http://www.shorewall.net/Documentation.htm) under "Nested or Overlapping Zones" and "The CONTINUE Policy", is shown in my configuration (http://www.shorewall.net/myfiles.htm) and in the Whitlisting description (http://www.shorewall.net/whitelisting_under_shorewall.htm). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> See my last post in the thread entitled "need more rules when using > IPSEC". It is also documented in the Shorewall Reference manual > (http://www.shorewall.net/Documentation.htm) under "Nested orOverlapping> Zones" and "The CONTINUE Policy", is shown in my configuration > (http://www.shorewall.net/myfiles.htm) and in the Whitlistingdescription> (http://www.shorewall.net/whitelisting_under_shorewall.htm).I am still a bit lost, suppose I would like to have my LOC divided into 5 subzones, call them A, B, C, D and E, with the following division 192.168.221.1 - 192.168.221.50 in A 192.168.221.51 - 192.168.221.100 in B .101 - .150 in C .151 - .200 in D .201 - .254 in E how do I define such a beast? And I still want all the subzones to just be "fully open" to all the other subzones?
Jan Johansson wrote:>>See my last post in the thread entitled "need more rules when using >>IPSEC". It is also documented in the Shorewall Reference manual >>(http://www.shorewall.net/Documentation.htm) under "Nested or > > Overlapping > >>Zones" and "The CONTINUE Policy", is shown in my configuration >>(http://www.shorewall.net/myfiles.htm) and in the Whitlisting > > description > >>(http://www.shorewall.net/whitelisting_under_shorewall.htm). > > > I am still a bit lost, suppose I would like to have my LOC divided into > 5 subzones, call them A, B, C, D and E, with the following division > > 192.168.221.1 - 192.168.221.50 in A > 192.168.221.51 - 192.168.221.100 in B > .101 - .150 in C > .151 - .200 in D > .201 - .254 in E > > how do I define such a beast?The above is too ugly to contemplate -- If you are going to break your network into zones, at least do it on subnet boundaries (make the size of your zones a power of two and make the beginning address a multiple of the size). NetFilter doesn''t support rules that include IP-address ranges so the range 1-50 must be broken up into: 1 2 3 4 5 6 7 8-15 16-31 32-47 48 49 Gag.... Contrast that to a zone consisting of 0-63 -- that can be defined as a single entry! This becomes important because if you have two zones with 12 hosts file entries (as above) and you want to allow those zones to communicate, that becomes 12 * 12 = 144 rules!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> The above is too ugly to contemplate -- If you are going to break your > network into zones, at least do it on subnet boundaries (make the sizeof> your zones a power of two and make the beginning address a multiple ofthe> size). NetFilter doesn''t support rules that include IP-address rangesso> the range 1-50 must be broken up into:[snip] Ok, that looked ugly indeed. Subnetting it is then I suppose.> Gag.... > > Contrast that to a zone consisting of 0-63 -- that can be defined as a > single entry! This becomes important because if you have two zoneswith 12> hosts file entries (as above) and you want to allow those zones to > communicate, that becomes 12 * 12 = 144 rules!!!144? Hmm, lets not do that. Then I guess I would also need multiple IP''s on the LOC interface and such.. but that would be a much cleaner interface. I think I need to wake up now.
Jan Johansson wrote:>>The above is too ugly to contemplate -- If you are going to break your >>network into zones, at least do it on subnet boundaries (make the size > > of > >>your zones a power of two and make the beginning address a multiple of > > the > >>size). NetFilter doesn''t support rules that include IP-address ranges > > so > >>the range 1-50 must be broken up into: > > > [snip] > > Ok, that looked ugly indeed. Subnetting it is then I suppose. > > >>Gag.... >> >>Contrast that to a zone consisting of 0-63 -- that can be defined as a >>single entry! This becomes important because if you have two zones > > with 12 > >>hosts file entries (as above) and you want to allow those zones to >>communicate, that becomes 12 * 12 = 144 rules!!! > > > 144? Hmm, lets not do that. > > Then I guess I would also need multiple IP''s on the LOC interface and > such.. but that would be a much cleaner interface. I think I need to > wake up now. >No,no,no -- you don''t need to actually subnet; you just need to make your zones have a size that is a power of two and have the beginning address be a multiple of the size. That way, they can be described easily to Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> No,no,no -- you don''t need to actually subnet; you just need to makeyour> zones have a size that is a power of two and have the beginningaddress be> a multiple of the size. That way, they can be described easily to > Shorewall.Oh, how... useful :)
Jan Johansson wrote:> > >>No,no,no -- you don''t need to actually subnet; you just need to make > > your > >>zones have a size that is a power of two and have the beginning > > address be > >>a multiple of the size. That way, they can be described easily to >>Shorewall. > > > Oh, how... useful :) >If you don''t like that answer, you can always lobby the NetFilter team to implement IP address ranges in iptables rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> If you don''t like that answer, you can always lobby the NetFilter team to > implement IP address ranges in iptables rules.No no no.. quite the opposite. It was more an indication of that i should have THOUGHT before typing.. Not to mention actually _liking_ that part of shorewalls "thinking" so to speak. Lets say i am used to FW platforms that are way more "strict" in how things are done..
j2 wrote:>>If you don''t like that answer, you can always lobby the NetFilter team to >>implement IP address ranges in iptables rules. > > > > No no no.. quite the opposite. It was more an indication of that i should > have THOUGHT before typing.. Not to mention actually _liking_ that part of > shorewalls "thinking" so to speak. Lets say i am used to FW platforms that > are way more "strict" in how things are done.. >Thanks for the clarification. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net