On our present firewall, running on RH5.2, we put in two local interfaces so that big file transfers done in engineering didn''t load up accounting. Then we went to a dot.gone auction and picked up a 24 port switch for cheap, and just plugged it in. Now we''re preparing a new firewall using Shorewall, and I can''t find a reason to maintain two local interfaces on the firewall, since the switch isolates the accounting and engineering subnets internally. At the moment the two subnets are 192.168.2.0/24 and 192.168.8.0/24. While engineering makes extensive use of the Internet, accounting generally uses it just to access UPS shipping functions, so I''m not too concerned about collisions at the firewall/DSL interfaces. By combining them on one interface I can save a NIC. What complications arise regarding broadcast addresses and what other problems am I going to encounter? By the way, we do have a webserver in a DMZ, and putting four NICs in the present firewall was a hassle with three PCI cards and one ISA card - the age old number of interrupts problem. -- Sincerely, David Smead http://www.amplepower.com.
David,> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of David Smead > Sent: Tuesday, February 19, 2002 11:27 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] One/two local interfaces > > > > At the moment > the two subnets are 192.168.2.0/24 and 192.168.8.0/24. While > engineering > makes extensive use of the Internet, accounting generally > uses it just to > access UPS shipping functions, so I''m not too concerned about > collisions > at the firewall/DSL interfaces. > > By combining them on one interface I can save a NIC. What > complications > arise regarding broadcast addresses and what other problems > am I going to > encounter?The broadcast addresses are handled in the /etc/shorewall/interfaces file by simply listing both broadcast addresses separated by a comma. If you have engineering and accounting in the same zone and they need to communicate, you will need to specify "multi" on the local interface''s entry in /etc/shorewall/net.> > By the way, we do have a webserver in a DMZ, and putting four > NICs in the > present firewall was a hassle with three PCI cards and one > ISA card - the > age old number of interrupts problem. >4-port NICs solve these problems nicely. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, Thanks for the help. According to the manual on the Netgear switch, it will learn what ports are connected to what hosts and make the connections as required. I''m assuming that the .2 and .8 subnets will be able to talk via the switch and not need to do so at the firewall, but we all know where assumptions lead. Do you have a suggestion on a 4-port NIC? -- Sincerely, David Smead http://www.amplepower.com. On Wed, 20 Feb 2002, Tom Eastep wrote:> David, > > > -----Original Message----- > > From: shorewall-users-admin@shorewall.net > > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of David Smead > > Sent: Tuesday, February 19, 2002 11:27 PM > > To: shorewall-users@shorewall.net > > Subject: [Shorewall-users] One/two local interfaces > > > > > > > > At the moment > > the two subnets are 192.168.2.0/24 and 192.168.8.0/24. While > > engineering > > makes extensive use of the Internet, accounting generally > > uses it just to > > access UPS shipping functions, so I''m not too concerned about > > collisions > > at the firewall/DSL interfaces. > > > > By combining them on one interface I can save a NIC. What > > complications > > arise regarding broadcast addresses and what other problems > > am I going to > > encounter? > > The broadcast addresses are handled in the /etc/shorewall/interfaces > file by simply listing both broadcast addresses separated by a comma. > > If you have engineering and accounting in the same zone and they need to > communicate, you will need to specify "multi" on the local interface''s > entry in /etc/shorewall/net. > > > > > By the way, we do have a webserver in a DMZ, and putting four > > NICs in the > > present firewall was a hassle with three PCI cards and one > > ISA card - the > > age old number of interrupts problem. > > > > 4-port NICs solve these problems nicely. > > -Tom > -- > Tom Eastep \ Shorewall -- iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > >
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of David Smead > Sent: Wednesday, February 20, 2002 2:47 PM > To: shorewall-users@shorewall.net > Subject: RE: [Shorewall-users] One/two local interfaces > > > Tom, > > Thanks for the help. > > According to the manual on the Netgear switch, it will learn > what ports > are connected to what hosts and make the connections as required. I''m > assuming that the .2 and .8 subnets will be able to talk via > the switch > and not need to do so at the firewall, but we all know where > assumptions > lead.They will do that only if you have the appropriate routes established on each client. If not, all traffic between the two subnets will pass through your firewall. Remember that a switch is a layer 2 device so it will learn which MAC addresses (not IP addresses) correspond to which ports.> > Do you have a suggestion on a 4-port NIC? >I''ve heard good reports about the DLINK DFE-570TX. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net