Francesca,
Shorewall works fine in an environment where you have multiple external IPs
and want to filter differently on each:
ACCEPT net fw:<ip addr 1> tcp a,b,c,d,e...
ACCEPT net fw:<ip addr 1> udp w,x,y,z,...
ACCEPT net fw:<ip addr 2> tcp p,q,r,s...
...
You only need a single zone (net).
For your single-address DNS servers, a very simple ruleset should be all
that you need. Allow (in and out) only those services that you need ; on
input, DROP everything else and on output, REJECT everything else. These are
a just a degenerate case of the multiple-IP example above.
-Tom
----- Original Message -----
From: Francesca C Smith
To: shorewall-users@shorewall.net
Sent: Tuesday, March 12, 2002 10:09 AM
Subject: [Shorewall-users] A Few Question''s
I run a ISP hosting company and use a variety of servers for my customers ..
Heres the deal
I need to run firewalls on all my machines .. (Why have two dns servers for
redundancy and only one firewall as a single point of failure for example)
Is just simple port blocking all I need on the DNS servers ?? .. I dont
re-direct or forward packets at all .. I also thinking if I just harden the
DNS,FTP and sendmail on these I dont even need a firewall .. I just have to
set up blocks for port scans and denial of service attacks.
I have web servers with multiple Static IP addressed ethernet interfaces ..
Can shorewall work with those and filter differently on each ?? On these im
thinking one interface can handle things like ssh, ftp sendmail .. et all
and the other interfaces only need port 80, 443 and 21 Open .. Once again im
sure im not needing forwarding here. Just the usual hardened approach Im
taking with the DNS machines.
Im just doing a sanity check here .. Really have not seen anyone doing
multiple IP based interfaces .. Nat and such yes .. Forwarding yes .. but
nothing as simple as this ..
Thanks,
Francesca