Hi all... hope someone can help me here. I tried looking for help in the archive, but didn''t come up with what I wanted. Anyways, here''s my problem. I''ve been issued a batch of IPs, and they''re on two different subnets. So I have two different gateways, and two different subnets of IPs, and one firewall. My firewall has two NIC cards, and I use proxyarp to map the IPs to the servers (saves me from some hassles). My question is this: is it possible to add the different subnet of my external IP to the same firewall? My external nic is eth0, and the internal is eth1. Hope someone could help me with this. Ken. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
I am on a local lan and I only wish to allow certain ip''s internet access. Righ tnow, I have a policy: Loc net drop Then I just have rules loc:192.168.0.100 net all Is this the best way to accomplish my task? --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words."
Aaron Axelsen wrote:> I am on a local lan and I only wish to allow certain ip''s internet > access. Righ tnow, I have a policy: > > Loc net drop > > Then I just have rules > > loc:192.168.0.100 net all > > Is this the best way to accomplish my task?Does that even work? I didn''t think you could use ''all'' as the target of a rule. If i were doing this for more than a few IPs, i would probably make a separate zone for privileged local clients and change the policies for that zone. Paul http://paulgear.webhop.net
Arien Monster wrote:> ... > Anyways, here''s my problem. I''ve been issued a batch > of IPs, and they''re on two different subnets. So I > have two different gateways, and two different subnets > of IPs, and one firewall. My firewall has two NIC > cards, and I use proxyarp to map the IPs to the > servers (saves me from some hassles). My question is > this: is it possible to add the different subnet of my > external IP to the same firewall? My external nic is > eth0, and the internal is eth1. Hope someone could > help me with this.I''m not fully understanding what you''re asking. Can you give some examples with dummy IP numbers? -- Paul http://paulgear.webhop.net
On Fri, 3 May 2002, Paul Gear wrote:> Aaron Axelsen wrote: > > > Loc net drop > > > > Then I just have rules > > > > loc:192.168.0.100 net all > > > > Is this the best way to accomplish my task? > > Does that even work? I didn''t think you could use ''all'' as the target > of a rule. >Yes -- it is allowed so long as at least one of the two zones is qualified as in Aaron''s rule (loc is qualified with 192.168.0.100).> If i were doing this for more than a few IPs, i would probably make a > separate zone for privileged local clients and change the policies for > that zone. >That would be my preference as well. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thu, 2 May 2002, Arien Monster wrote:> > hope someone can help me here. I tried looking for > help in the archive, but didn''t come up with what I > wanted.I''m not surprised -- I don''t recall this ever coming up before.> > Anyways, here''s my problem. I''ve been issued a batch > of IPs, and they''re on two different subnets. So I > have two different gateways, and two different subnets > of IPs, and one firewall. My firewall has two NIC > cards, and I use proxyarp to map the IPs to the > servers (saves me from some hassles). My question is > this: is it possible to add the different subnet of my > external IP to the same firewall? My external nic is > eth0, and the internal is eth1. Hope someone could > help me with this. >I haven''t tried this but it should work. a) Add the second gateway address to eth0 with no subnet. b) Add the same address to eth1 along with its subnet. c) Add the second subnet to /etc/shorewall/proxyarp with the "HAVEROUTE" column set to "Yes". Alternatively, simply arrange for both eth0 and eth1 to have the proxy_arp flag set in /proc/sys/net/ipv4/conf and don''t fool with Shorewall''s proxy ARP config (You will have to have defined your other subnet locally in the same way). You have two choices for how to let the two subnets communicate: 1) Define a new subnet route on each local system to allow direct communication. 2) Route through your firewall: - set the ''multi'' option on eth1 in /etc/shorewall/interfaces - add a loc->loc ACCEPT policy. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hullo there! Thanks for the tips Tom. I''m gonna test this out and see how it goes. :) Ken. --- Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 2 May 2002, Arien Monster wrote: > > > > > hope someone can help me here. I tried looking for > > help in the archive, but didn''t come up with what > I > > wanted. > > I''m not surprised -- I don''t recall this ever coming > up before. > > > > > Anyways, here''s my problem. I''ve been issued a > batch > > of IPs, and they''re on two different subnets. So I > > have two different gateways, and two different > subnets > > of IPs, and one firewall. My firewall has two NIC > > cards, and I use proxyarp to map the IPs to the > > servers (saves me from some hassles). My question > is > > this: is it possible to add the different subnet > of my > > external IP to the same firewall? My external nic > is > > eth0, and the internal is eth1. Hope someone could > > help me with this. > > > > I haven''t tried this but it should work. > > a) Add the second gateway address to eth0 with no > subnet. > b) Add the same address to eth1 along with its > subnet. > c) Add the second subnet to /etc/shorewall/proxyarp > with the "HAVEROUTE" > column set to "Yes". Alternatively, simply arrange > for both eth0 and eth1 > to have the proxy_arp flag set in > /proc/sys/net/ipv4/conf and don''t fool > with Shorewall''s proxy ARP config (You will have to > have defined your > other subnet locally in the same way). > > You have two choices for how to let the two subnets > communicate: > > 1) Define a new subnet route on each local system to > allow direct > communication. > 2) Route through your firewall: > > - set the ''multi'' option on eth1 in > /etc/shorewall/interfaces > - add a loc->loc ACCEPT policy. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >__________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
On Sun, 5 May 2002, Arien Monster wrote:> Thanks for the tips Tom. I''m gonna test this out and > see how it goes. :)Please let us know how it turns out. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I was just wondering why the main page www.shorewall.net has a title of Shoreline Firewall --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words."
from the faq : Shorewall is a concatenation of "Shoreline" (the city where the developper lives) and "Firewall". greetz Johan On Mon, 2002-05-06 at 07:38, Aaron Axelsen wrote:> I was just wondering why the main page www.shorewall.net has a title of > Shoreline Firewall > > --- > Aaron Axelsen > AIM: AAAK2 > Email: axelseaa@amadmax.com > URL: www.amadmax.com > > "It said, ""Insert disk #3,"" but only two will fit!" > "One picture is worth 128K words." > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Mon, 6 May 2002, Aaron Axelsen wrote:> I was just wondering why the main page www.shorewall.net has a title of > Shoreline Firewall >Because that is the product''s name -- ''Shorewall'' is a contraction. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi there... I''ve managed to get it working (I think...)! I tried your suggestion but left out some parts. --- Tom Eastep <teastep@shorewall.net> wrote:> I haven''t tried this but it should work. > > a) Add the second gateway address to eth0 with no > subnet.Didn''t do this because I wasn''t sure where to put the entry. So, what I did was make an alias for ifeth0 (eth0:1).> b) Add the same address to eth1 along with its > subnet.Didn''t do this at all because, again, I''m not sure how to do it.> c) Add the second subnet to /etc/shorewall/proxyarp > with the "HAVEROUTE" > column set to "Yes". Alternatively, simply arrange > for both eth0 and eth1 > to have the proxy_arp flag set in > /proc/sys/net/ipv4/conf and don''t fool > with Shorewall''s proxy ARP config (You will have to > have defined your > other subnet locally in the same way). >I put No, for the HAVEROUTE section under proxyarp. Initially was set to Yes, but it didn''t work.> You have two choices for how to let the two subnets > communicate: > > 1) Define a new subnet route on each local system to > allow direct > communication. > 2) Route through your firewall: > > - set the ''multi'' option on eth1 in > /etc/shorewall/interfaces > - add a loc->loc ACCEPT policy.Ok, here, I followed (2). Now, while I''m quite happy that everything seems to be working, please do let me know if I should have done things some other way (or my firewall has become ineffective due to some setting or other). Ken. __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com
On Tue, 7 May 2002, Arien Monster wrote:> Hi there... > > I''ve managed to get it working (I think...)! I tried > your suggestion but left out some parts. > > please do let me know if I should have done > things some other way (or my firewall has become > ineffective due to some setting or other). >No -- what you did sounds fine. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net