Shorewall users - Feb 2002 - Design Question

Hi,

I need some help with the design of a firewall (and routing) system.

My customer has an intranet and two 2Mbit lines to two different providers.=20
At the moment one part of the machines in the intranet use Provider A and=20
another part Provider B.
There are two firewalls (one for every provider) doing masquerading (and=20
they need to be replaced).

On the side of Provider A there are some web servers, a dns server and a=20
small dial-in router.


Now it looks like this:

+----------------- +     +----+      +-----> Router Provider A
! Intranet         !     !    !      !
! 192.168.123.0/24 +-----! FW +------+  +----------------+
!                  !     !    !      +--+ Servers...     !
+--------+---------+     +----+      !  +----------------+
          !                           !
          !                           !  +----------------+
        +-+--+                        +--+ Dial-In Router !
        !    !                           +----------------+
        ! FW !
        !    !
        +----+
          !
          !   +--------+
          +---+ Server !
          !   +--------+
          !
          +-----> Router Provider B


There are diffrent blocks of official IPs provided by the ISPs. Let=B4s say:

IPs Provider A: a.b.c.d/28
                 a.b.e.f/28

IPs Provider B: i.j.k.l/26






Now after some servers were hacked the customers wants everything to be=20
behind a firewall. There are also some performace reasons for a redesign=20
(accessing server on Provider B side via FW on Provider A side will go=20
through the internet...)




My idea was to use one firewall (shorewall based ;-))))) and to put all the=20
server in a firewall protected DMZ. The dial-in router should stay=20
unprotected (so the dial-in people have full internet access).

As the customer is not a RIPE member and is not participating in the=20
Providers BGP there is no chance to do some kind of load balancing between=20
the two lines. So the traffic from the intranet and DMZ will be split=20
manually between the lines by using source based routing.

I thing it should look like this:

+----------------- +     +-----+
! Intranet         !     !     !      +-----> Router Provider A
! 192.168.123.0/24 +-----! FW  +------+
!                  !     !     !      +-----> Router Provider B
+------------------+     +--+--+      !
                             !         !  +----------------+
                             !         +--+ Dial-In Router !
                          +--+--+         +----------------+
                          ! DMZ !
                          +-----+

The one thing I=B4m not sure about is how to put the servers in the DMZ. I=20
think I have three methods:
1. Giving the servers privat IPs and setting up NAT
2. Setting up Proxy-ARP on the firewall (and leaving the IPs like they are)
3. Ansking the providers to change the routing on there routers somehow=20
(and leaving the IPs like they are)

Solution 3 sound the "cleanest" to me.



I would be very happy if somebody would send me there toughts.




Regards
Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Hi!
I am trying to revamp our internet security, and we''d like to begin
offering
VPN connections (PopTop) for our mobile staff.  I haven''t begun using
Shorewall yet, but I''m very eager to!

I''d like to create something akin to the following diagram.  I
don''t really
want my DMZ to be on a third interface in my firewall, thus a forward
firewall and a secondary firewall within the DMZ.

I''m confused about the proxy ARP option in Shorewall (even after
reading the
mini howto), and why I may or may not want to use it.  If I understand
correctly, the great advantage to using proxy ARP is that I can remove the
firewall (ie: plug the router directly into the hub) and all the exposed
hosts will still be available, since they would have legitimate routeable
IPs.  Is that it?

Are there any gotchas to this configuration that I may not be aware of?  Is
Proxy Arp superior to static NAT?

INTERNET
    |
    | eth0 (public IP block)
+-------------------+
| forward firewall |
+-------------------+
    | eth1 (public or private IP?)
    |
+-----+
| hub |------- exposed servers for WWW, SMTP, POP3, etc
+-----+          (public or private?)
    |
    |
    | eth0 (public or private?)
+-------------------+
| internal firewall | - running Poptop
+-------------------+
    | eth1 (192.168.0.100)
    |
 INTRANET


Thanks, Tom, for all your work on Shorewall - it looks to be the best of the
bunch for iptables-based packages!
Cheers,
Scott

Scott,
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> Scott Merrill
> Sent: Thursday, February 14, 2002 9:45 AM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Shorewall Newbie: DMZ and VPN
> 
> I''m confused about the proxy ARP option in Shorewall (even 
> after reading the
> mini howto), and why I may or may not want to use it.  If I understand
> correctly, the great advantage to using proxy ARP is that I 
> can remove the
> firewall (ie: plug the router directly into the hub) and all 
> the exposed
> hosts will still be available, since they would have 
> legitimate routeable
> IPs.  Is that it?
> 
> Are there any gotchas to this configuration that I may not be 
> aware of?  Is
> Proxy Arp superior to static NAT?
Proxy ARP has the following additional advantages over NAT:

A) Servers are known by exactly 1 IP address.
   - You don''t need different Bind 9 DNS views for DMZ and for other
users; or
   - You avoid kludges whereby intra-DMZ traffic has to be routed
through a firewall just to do NAT (I gag every time I see people doing
that).
   - You avoid self-identity problems with your servers (server doesn''t
know its FQDN or knows the wrong one).

B) You avoid problems with applications that don''t deal well with NAT.

I originally used static NAT for my DMZ and I''m much happier with it
since I switched to Proxy ARP.
> 
> Thanks, Tom, for all your work on Shorewall - it looks to be 
> the best of the
> bunch for iptables-based packages!
Thanks, Scott!

-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

On Thu Feb 02/14/02, 2002 at 05:32:28PM +0100, Sascha Knific
wrote:
> 1. Giving the servers privat IPs and setting up NAT
> 2. Setting up Proxy-ARP on the firewall (and leaving the IPs like they are)
> 3. Ansking the providers to change the routing on there routers somehow 
> (and leaving the IPs like they are)
> 
> Solution 3 sound the "cleanest" to me.
I think you may have overlooked a possible option, even cleaner and
easier than #3 (it''s the solution I would have used for myself if I
could have talked the client into a four-legged firewall) -- If the
provider gave you a large enough block of addresses, simply subnet it
yourself. Put one side of the subnet on eth2 and the other on a hub 
connected to eth3, along with the hosts you want to filter for.

ASCII art is not my thing, so I won''t even try to draw a picture of it
here, but it''s pretty straightforward -- if the provider gave you
(e.g.)
172.16.0.128/28, and the provider''s gateway address is 172.16.0.142,
put
eth2 on the outside with 172.16.0.141/29, eth3 on the inside with
172.16.0.134/29. (If the provider''s GW is bottom-of-subnet instead of
top-of-subnet, the lower IP address goes on the inside, and high on the
outside, of course). Double-check the arithmetic on the addresses and
subnetting, of course, but I think that ought to get you started...

Hope this helps,

-- 
Greg White

Hi Scott,

Tom''s away for the weekend, so you''re left with the rest of
us.  Let me have a
go at this one...  (Insert standard disclaimer here.)

Scott Merrill wrote:
> Hi!
> I am trying to revamp our internet security, and we''d like to
begin offering
> VPN connections (PopTop) for our mobile staff.
Here is a link worth reading if you are considering using PPTP in any form:
http://www.counterpane.com/pptp.html.  Short summary: you shouldn''t
trust a
security protocol devised by Microsoft.  :-)
> ...
> I''d like to create something akin to the following diagram.  I
don''t really
> want my DMZ to be on a third interface in my firewall, thus a forward
> firewall and a secondary firewall within the DMZ.
I personally think that your design (outer guard -> DMZ -> inner guard) is
in
general a better firewall design than the one which uses 1 firewall and 3
interfaces (as per Tom''s systems).  It requires 1 more system, but it
gives you
double protection for your inner network.
> ...
> I''m confused about the proxy ARP option in Shorewall (even after
reading the
> mini howto), and why I may or may not want to use it.
Have you read about Tom''s network in the documentation?  (See
/usr/share/doc/shorewall-VERSION/documentation/myfiles.htm on an installed
system.)  The explanation he gives there is quite good.  (Be sure to read the
paragraph after the diagram.)
>  If I understand
> correctly, the great advantage to using proxy ARP is that I can remove the
> firewall (ie: plug the router directly into the hub) and all the exposed
> hosts will still be available, since they would have legitimate routeable
> IPs.  Is that it?
I''m not sure that being able to remove the firewall and still work is
an
advantage, but i think you''ve essentially got the right idea.  What
proxy ARP
allows you to do is use real IP addresses on the other side of your firewall.
I use it for my PPP dialin connections so that the systems on the LAN see
PPP-based systems as LAN-based systems.
> Are there any gotchas to this configuration that I may not be aware of?  Is
> Proxy Arp superior to static NAT?
I think that''s the "how long is a piece of string?" problem. 
Whether or not
proxy ARP is better than NAT depends on your application.  If you don''t
need a
real, visible IP address, static NAT may be less confusing (due to the fact
that you''re not mixing two different subnets on the same wire), but it
really
doesn''t matter to the firewall.

Overall, your firewall design seems to be a reasonable one (although i
personally wouldn''t make PPTP part of my security strategy).  I would
also
recommend that each of the systems in your DMZ run shorewall - the
configuration should be quite simple.

Paul
http://paulgear.webhop.net

Thanks for the reply, Paul!
> > I am trying to revamp our internet security, and we''d like to
begin
offering
> > VPN connections (PopTop) for our mobile staff.
>
> Here is a link worth reading if you are considering using PPTP in any
form:
> http://www.counterpane.com/pptp.html.  Short summary: you
shouldn''t trust
a
> security protocol devised by Microsoft.  :-)
In my last job I was advised not to use PAP for RADIUS authentication
because it meant sending plaintext passwords across the dial-up link.  Much
to the chagrin of my router VAR, I chose PAP:
http://www.freeradius.org/faq/#4.4.1  I''d much rather have plaintext
passwords travelling a dial-up phone connection than maintain all my
user''s
passwords in plaintext on the server just so that they can be sent encrypted
over the link.

Security is inversely proportional to convenience.  I think I''m
comfortable
with the weaknesses of PPTP for the convenience it provides.  [... more
below ...]
> > I''m confused about the proxy ARP option in Shorewall (even
after reading
the
> > mini howto), and why I may or may not want to use it.
>
> Have you read about Tom''s network in the documentation?  (See
> /usr/share/doc/shorewall-VERSION/documentation/myfiles.htm on an installed
> system.)  The explanation he gives there is quite good.  (Be sure to read
the
> paragraph after the diagram.)
I''ve read http://www.shorewall.net/myfiles.htm which I presume to be
the
same.
If I read that correctly, than the ethernet card local to the DMZ (eth1 in
Tom''s case) can have any IP address at all?  Should it be a
non-routable IP
or one of the public IPs assigned to me?
Using the Proxy ARP configuration with valid IPs assigned to DMZ hosts and a
non-routable IP on the firewall''s DMZ interface, can I still use the
"norfc1918" option in the interfaces file for my DMZ interface? 
(Since all
DMZ hosts will have valid routable IPs, I should never see an RFC1918
address _except_ for the IP of the firewall NIC connected to the LAN.)  The
documentation doesn''t qualify this.
> >  If I understand
> > correctly, the great advantage to using proxy ARP is that I can remove
the
> > firewall (ie: plug the router directly into the hub) and all the
exposed
> > hosts will still be available, since they would have legitimate
routeable
> > IPs.  Is that it?
>
> I''m not sure that being able to remove the firewall and still work
is an
> advantage, but i think you''ve essentially got the right idea. 
What proxy
ARP

Heh.  Point taken.  But in my configuration, the DMZ hosts will be
untrusted, and the inner firewall is ultimately responsible for protecting
my private hosts.  So if the forward firewall failed (or was offline for
some reason), everything _should_ still work ... (ie: private hosts are
protected, which is the _really_ important thing)
> Overall, your firewall design seems to be a reasonable one (although i
> personally wouldn''t make PPTP part of my security strategy).  I
would also
> recommend that each of the systems in your DMZ run shorewall - the
> configuration should be quite simple.
Alas, not all the DMZ hosts are *NIX.  Those that are will be properly
locked down, of course.

Do you provide any sort of tunneling or remote accessibility?  Do you
recommend something in place of PPTP?
I think our desire for VPN is pretty specific: we want to provide access to
our custom intranet application remotely (this is all HTTP, so I suppose we
could migrate it to HTTPS), we want to provide remote access to email
without opening up POP3 to the whole world, and we have one employee (my
boss) who telecommutes from his home several states away.  I''m the only
on-site technical person, so any solution must be reasonably easy to
configure and support, multiplatform, and preferably low cost.  The user
experience needs to be easy to explain, and as easy to operate as possible.
PPTP seems to fit the bill.

I recognize that no security solution will be 100% effective, or 100%
impenetrable (short of cutting power or the network cable).  I''m
comfortable
with the level of security things like PPTP provide our installation -- if
someone _really_ wants to sniff our packets and decrypt our sessions, then
they''re just as likely to try other things that may yield easier
success
(social engineering, physical intrusion, etc).

I''m not trying to come across as argumentative - merely trying to
explain my
position.  I am very iinterested in hearing about other options!

Cheers,
Scott

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> Scott Merrill
> Sent: Friday, February 15, 2002 5:39 AM
> To: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Shorewall Newbie: DMZ and VPN
> 
> I''ve read http://www.shorewall.net/myfiles.htm which I 
> presume to be the
> same.
It is.
> If I read that correctly, than the ethernet card local to the 
> DMZ (eth1 in
> Tom''s case) can have any IP address at all?  Should it be a 
> non-routable IP
> or one of the public IPs assigned to me?
I use an RFC1918 address -- why waste one of your public IP addresses on
an internal interface?
> Using the Proxy ARP configuration with valid IPs assigned to 
> DMZ hosts and a
> non-routable IP on the firewall''s DMZ interface, can I still use
the
> "norfc1918" option in the interfaces file for my DMZ 
> interface? 
No, although why you would want to I can''t imagine.
> (Since all
> DMZ hosts will have valid routable IPs, I should never see an RFC1918
> address _except_ for the IP of the firewall NIC connected to 
> the LAN.)  The
> documentation doesn''t qualify this.
I was hoping that it was self evident but I''ll say it here; specifying
norfc1918 on an interface with an RFC 1918 address is a bad idea.

-Tom

Tom,

Hi neighbor - do you know where Ballard is?

You show in your diagram that the DMZ server has a public IP, yet you
state that you use a NONRFC1918 address because you don''t want to waste
a
public IP on an internal interface.  I''m a little confused.

Since you do ProxyARP for the public IP, would it really be wasted as the
interface address?  Please keep in mind here that I know just enough to be
dangerous.

That said, I''m studying with the intention of using Shorewall to
replace
an old firewall running on RedHat 5.2.  I''m working with a LEAF version
because the apparent simplicity appeals to me, but I can just as well use
RH7.2.  Why would I want to use RH7.2 over LEAF?


-- 
Sincerely,

David Smead
http://www.amplepower.com.

On Mon, 18 Feb 2002, Tom Eastep wrote:
>
>
> > -----Original Message-----
> > From: shorewall-users-admin@shorewall.net
> > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of
> > Scott Merrill
> > Sent: Friday, February 15, 2002 5:39 AM
> > To: shorewall-users@shorewall.net
> > Subject: Re: [Shorewall-users] Shorewall Newbie: DMZ and VPN
> >
> > I''ve read http://www.shorewall.net/myfiles.htm which I
> > presume to be the
> > same.
>
> It is.
>
> > If I read that correctly, than the ethernet card local to the
> > DMZ (eth1 in
> > Tom''s case) can have any IP address at all?  Should it be a
> > non-routable IP
> > or one of the public IPs assigned to me?
>
> I use an RFC1918 address -- why waste one of your public IP addresses on
> an internal interface?
>
> > Using the Proxy ARP configuration with valid IPs assigned to
> > DMZ hosts and a
> > non-routable IP on the firewall''s DMZ interface, can I still
use the
> > "norfc1918" option in the interfaces file for my DMZ
> > interface?
>
> No, although why you would want to I can''t imagine.
>
> > (Since all
> > DMZ hosts will have valid routable IPs, I should never see an RFC1918
> > address _except_ for the IP of the firewall NIC connected to
> > the LAN.)  The
> > documentation doesn''t qualify this.
>
> I was hoping that it was self evident but I''ll say it here;
specifying
> norfc1918 on an interface with an RFC 1918 address is a bad idea.
>
> -Tom
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

David Smead wrote:
> ...
> That said, I''m studying with the intention of using Shorewall to
replace
> an old firewall running on RedHat 5.2.  I''m working with a LEAF
version
> because the apparent simplicity appeals to me, but I can just as well use
> RH7.2.  Why would I want to use RH7.2 over LEAF?
I''d be interested in people''s comments on this, too. 
I''m presently running
RH 7.1/2 on all the systems i run Shorewall on, but if LEAF is a lower
administrative overhead, i''d probably be interested in looking at it...

Paul
http://paulgear.webhop.net

Hi,

I was kind of busy the last day but now my conclusion:

We have two 4-bit IP subnets form provider A and one 6-bit subnet from=20
provider B.

I will set up plan proxy-arp for the two 4-bit subnets (subnetting them=20
would loose to many IPs). Maybe I can ask the provider to change the=20
routing for one subnet so we could get one more IP (the one used by the=20
provider=B4s router).

The 6-bit subnet I=B4m going to subnet or setup proxy-arp subnetting (I red=20
the mini-howto but it=B4s still quit confusing ;-))). Proxy-arp seems to save=20
me 2 IPs over subnetting (one for the network or broadcast and one for the=20
extra for the firewall).

Thanks Tom, Thanks Greg!



Sascha

--------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57=B059''52.4"
E11=B020''34.3"
knific@k-sysdes.net     http://www.k-sysdes.net

Hi David,
> -----Original Message-----
> From: David Smead [mailto:smead@amplepower.com] 
> Sent: Monday, February 18, 2002 10:43 PM
> To: Tom Eastep
> Cc: shorewall-users@shorewall.net
> Subject: RE: [Shorewall-users] Shorewall Newbie: DMZ and VPN
> 
> 
> Tom,
> 
> Hi neighbor - do you know where Ballard is?
Sure do -- when we lived in Broadview, we used to dine regularly in
Ballard and my doctor of 25 years practiced in Ballard before he had to
retire due to health reasons.
> 
> You show in your diagram that the DMZ server has a public IP, yet you
> state that you use a NONRFC1918 address because you don''t 
> want to waste a
> public IP on an internal interface.  I''m a little confused.
I was referring to the DMZ interface on the firewall. 
> 
> Since you do ProxyARP for the public IP, would it really be 
> wasted as the
> interface address?  Please keep in mind here that I know just 
> enough to be
> dangerous.
Again, I was referring to the IP of eth1 on the firewall (192.168.2.1).
> 
> That said, I''m studying with the intention of using Shorewall 
> to replace
> an old firewall running on RedHat 5.2.  I''m working with a 
> LEAF version
> because the apparent simplicity appeals to me, but I can just 
> as well use
> RH7.2.  Why would I want to use RH7.2 over LEAF?
> 
I use a very stripped down version of RH7.2 on my firewall. I do that
because:

a) It makes administration uniform over all of my Linux boxes.

b) If I want to install a package on my firewall, I know I will be able
to find it and that it will be reasonably recent.

c) Until recently, CD-based LEAF distributions weren''t available.

The arguments in favor of LEAF are:

a) More secure. This one is subject to debate but if you are able to run
a floppy-only, solid-state disk or CD-based version of LEAF with no hard
drive, that''s probably true.

b) More reliable. IMHO, this is only true if your system can recover
from a power failure without manual intervention. This leaves out
multi-floppy, single-drive configurations.

-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

> Hi David,
>
> > -----Original Message-----
> > From: David Smead [mailto:smead@amplepower.com]
> > Sent: Monday, February 18, 2002 10:43 PM
> > To: Tom Eastep
> > Cc: shorewall-users@shorewall.net
> > Subject: RE: [Shorewall-users] Shorewall Newbie: DMZ and VPN
> >
> >
> > Tom,
> >
> > Hi neighbor - do you know where Ballard is?
>
> Sure do -- when we lived in Broadview, we used to dine regularly in
> Ballard and my doctor of 25 years practiced in Ballard before
> he had to
> retire due to health reasons.
Just to confuse the issue, I''m married to a Ballard, but we live on
Whidbey Island, though her brother, also a Ballard, works in Shoreline!

<snip>
> > That said, I''m studying with the intention of using Shorewall
> > to replace
> > an old firewall running on RedHat 5.2.  I''m working with a
> > LEAF version
> > because the apparent simplicity appeals to me, but I can just
> > as well use
> > RH7.2.  Why would I want to use RH7.2 over LEAF?
> >
>
> I use a very stripped down version of RH7.2 on my firewall. I do that
> because:
>
> a) It makes administration uniform over all of my Linux boxes.
>
> b) If I want to install a package on my firewall, I know I
> will be able
> to find it and that it will be reasonably recent.
>
> c) Until recently, CD-based LEAF distributions weren''t available.
>
> The arguments in favor of LEAF are:
>
> a) More secure. This one is subject to debate but if you are
> able to run
> a floppy-only, solid-state disk or CD-based version of LEAF
> with no hard
> drive, that''s probably true.
>
> b) More reliable. IMHO, this is only true if your system can recover
> from a power failure without manual intervention. This leaves out
> multi-floppy, single-drive configurations.
The LEAF Bering distro (http://leaf.sourceforge.net/devel/jnilo/)
includes Shorewall and can run from a single floppy.

I''m currently running Shorewall on a LEAF-based system that relies on
BusyBox for many functions and uses uClibc instead of glibc. Everything
fits on a single floppy and the system recovers quite nicely from our
frequent power outages.

One concern is that Shorewall takes a long time to load on the ancient
machines used for many LEAF systems (loading time nearly 2 minutes on a
486/33; much better, at about 22 seconds on a Pentium133).
>
> -Tom
> --
> Tom Eastep   \ Shorewall -- iptables made easy
> AIM: tmeastep \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net
-Richard

> 
> One concern is that Shorewall takes a long time to load on the ancient
> machines used for many LEAF systems (loading time nearly 2 
> minutes on a
> 486/33; much better, at about 22 seconds on a Pentium133).
> 
Yes -- I''ve retired my stable of 486s here and am on the lookout for
cheapie used Pentiums...

-Tom

Tom Eastep wrote:
> ...
> > RH7.2.  Why would I want to use RH7.2 over LEAF?
>
> I use a very stripped down version of RH7.2 on my firewall. I do that
> because:
>
> a) It makes administration uniform over all of my Linux boxes.
>
> b) If I want to install a package on my firewall, I know I will be able
> to find it and that it will be reasonably recent.
Those points have just convinced me to stick with Red Hat - mainly the 1st
one.  (Not to mention that it''s going to take me another 2 hours to
work
out which version of LEAF i need to use.  :-)

Paul
http://paulgear.webhop.net

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Paul Gear
> Sent: Tuesday, February 19, 2002 11:38 AM
> To: shorewall-users@shorewall.net
> Subject: Re: RH 7.2 vs. LEAF (Re: [Shorewall-users] Shorewall 
> Newbie: DMZ and VPN)
> 
> Those points have just convinced me to stick with Red Hat - 
> mainly the 1st
> one.  (Not to mention that it''s going to take me another 2 
> hours to work
> out which version of LEAF i need to use.  :-)
If you want to use Shorewall, the choices there aren''t very wide
currently -- they will probably become wider though as time goes on.

-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

I don''t know what is classified cheap, but here are some Dell Optiplex
575
units for $75.  http://colemelville.com/pcs.htm. They are warehoused in
Seattle.

We''re using one of the Dell 575 that was purchased at Boeing Surplus
about
3 years ago.  It''s stuffed with 3 PCI NICs and 1 ISA NIC for our
current
firewall.  Without a CD, you''ll either have to run LEAF, or do an
install
on the hard drive in another machine - at least that''s what we did to
get
RH5.2 on it.

-- 
Sincerely,

David Smead
http://www.amplepower.com.

> We''re using one of the Dell 575 that was purchased at Boeing
Surplus about
> 3 years ago.  It''s stuffed with 3 PCI NICs and 1 ISA NIC for our
current
> firewall.  Without a CD, you''ll either have to run LEAF, or do an
install
> on the hard drive in another machine - at least that''s what we did
to get
> RH5.2 on it.
One of my most favored features of Linux is the ability to do network
installations.  Recent Red Hat distributions have moved the
net install into seperate boot images, so you''ll need to manually
create the boot disk (rawrite from a Windows box, or dd from
another Linux).

I''ve installed several no-CD systems this way.  It''s also
extremely handy when you forget your source media at home.  =)

Cheers,
Scott

I''ve got Shorewall working well enough that its now protecting the
office
network (instead of just my test machine.)

What I haven''t gotten to work is the FTP server in the DMZ.  My local
subnet
is 192.168.100.xxx and the DMZ FTP server is 192.168.200.10. From a local
machine, if I try to ftp to the DMZ server, I get a host unreachable error,
no route to host.

My params file has:

NET_DMZ_TCP_PORTS1=21
NET_DMZ_UDP_PORTS1=none
LOC_DMZ_TCP_PORTS1=21,22
LOC_DMZ_UDP_PORTS1=none
FW_DMZ_TCP_PORTS1=none
FW_DMZ_UDP_PORTS1=none
DMZ_SERVER1=192.168.200.10

My gateway is to 192.168.100.1, which is eth1 on the Shorewall box.
192.168.200.1 is eth2 on the Shorewall box. Any ideas what I''m missing?

Running nmap on the DMZ FTP server does show ports 21, and 22 open.

Gar

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Gar Nelson
> Sent: Friday, February 22, 2002 9:10 AM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] getting to the DMZ
> 
> 
> I''ve got Shorewall working well enough that its now 
> protecting the office
> network (instead of just my test machine.)
> 
> What I haven''t gotten to work is the FTP server in the DMZ.  
> My local subnet
> is 192.168.100.xxx and the DMZ FTP server is 192.168.200.10. 
> From a local
> machine, if I try to ftp to the DMZ server, I get a host 
> unreachable error,
> no route to host.
What does "route -n" show on your Firewall?
> 
> My params file has:
> 
> NET_DMZ_TCP_PORTS1=21
> NET_DMZ_UDP_PORTS1=none
> LOC_DMZ_TCP_PORTS1=21,22
> LOC_DMZ_UDP_PORTS1=none
> FW_DMZ_TCP_PORTS1=none
> FW_DMZ_UDP_PORTS1=none
> DMZ_SERVER1=192.168.200.10
> 
> My gateway is to 192.168.100.1, which is eth1 on the Shorewall box.
> 192.168.200.1 is eth2 on the Shorewall box. Any ideas what 
> I''m missing?
> 
> Running nmap on the DMZ FTP server does show ports 21, and 22 open.
This doesn''t sound like a Shorewall problem....
-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net